OpenVPN: Individual Firewall Rules for Connecting Clients
(содержимое одной из глав книги OpenVPN: Building and Integrating Virtual Private Networks)
One striking possibility OpenVPN offers is a setup where:
- An OpenVPN machine acts as a server that protects the company's network, admitting access for OpenVPN clients.
- The clients are automatically assigned IPs by the server.
- The clients are equipped with certificates, and identified and authorized by these certificates.
The scripting parameter learn-address in the server's OpenVPN configuration file will have the server execute a script whenever an authorized client connects to the VPN and is assigned an address. This parameter takes the full path to a script as an option:
In this example, the script openvpnFW will be executed each time a client is assigned an IP address and will be passed three variables by the OpenVPN server process:
- $1: The action taken; this may be one of add, delete, update
- $2: The IP assigned to the client connecting
- $3: The common name in the subject line of the client's certificate
Add the line learn-address /etc/openvpn/scripts/openvpnFW to your OpenVPN server configuration file and edit the file /etc/openvpn/scripts/openvpnFW to be like the following. These lines will show how to make use of these parameters in a short Linux shell script:
echo $DATE $1 $2 $3 >> $LOGFILE
This script will only export the variables passed to the logfile, including a timestamp that is added by the command date. Stop and start your tunnel a few times. Now let's have a look at the file /var/log/openvpn/connections.log:
Do Feb 2 04:34:33 CET 2006 update 10.99.0.3 mfeilner
Fr Feb 3 04:34:14 CET 2006 update 10.99.0.3 mfeilner
Sa Feb 4 04:34:53 CET 2006 update 10.99.0.3 mfeilner
So Feb 5 04:34:43 CET 2006 update 10.99.0.3 mfeilner
This example shows my VPN client reconnecting every day. This alone might yet be an interesting feature, if you want to keep track of your users and their VPN connections. However, we can do more. Let's add some more lines to our openvpnFW script:
if [ $1 = delete ]
Two simple tests are run and, depending on the content of the variable $1, different firewall scripts are executed. Let's express this in brief. If the first variable passed is add, then the script /etc/openvpn/scripts/$2.FW_connect.sh is run, where $2 will be replaced by the IP of the client connecting. If for example a client mfeilner connects and is assigned the IP 10.99.0.3, then the variables passed to this script openvpnFW will be:
And the script run will be called: /etc/openvpn/scripts/10.99.0.3.FW_connect.sh.
However, if the variables passed to openvpnFW are the following:
then the script /etc/openvpn/scripts/10.99.0.3.FW_disconnect.sh will be executed.
I think you have already guessed that these two scripts contain firewall rules (like iptables statements) for the client with the certificate mfeilner. Even though all of this could be done within one single script, I prefer to have the tests and firewall rules split up in several scripts.
This setup can become very powerful and fairly complex. A client that has its default route set through the tunnel can be allowed selective Internet access, simply by enabling or disabling, routing or forwarding. And access to the local servers can also be easily managed: E.g. A SAP server might only be available for road warriors from 7 am to 6 pm, whereas during the night firewall rules protect the server.
Авторизуйтесь для добавления комментариев!