Prevent machines connected to the same OpenVPN server from communicating with each other

openvpn

This, rather than a question, is a request to confirm how an OpenVPN server works.

I have an OpenVPN server to which I will connect desktop computers and mobile devices of different users. For security reasons, all the machines must be able to connect to the Internet through this VPN, but without any of them being able to find out what other devices are connected to the same OpenVPN server and without being able to access those devices.

A trivial example: if a user has a shared folder or any other working service on their computer, it should not be visible to other users connected to the same OpenVPN server.

All this is a given in a commercial VPN, but since this is a private VPN, I'm not sure if this security setting is already so by default.

To do a verification, I used server-side and client-side nmap to discover connected devices in a simple test with only two devices connected. These are the results:

server side:

# nmap -sn 10.8.0.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2021-08-13 12:07 CEST
Nmap scan report for 10.8.0.2
Host is up (0.089s latency).
Nmap scan report for 10.8.0.3
Host is up (0.44s latency).
Nmap scan report for myVPN (10.8.0.1)
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 49.81 seconds

client side:

nmap -sn 10.8.0.0/24

Starting Nmap 7.01 ( https://nmap.org ) at 2021-08-13 12:24 CEST
Nmap scan report for 10.8.0.3
Host is up (0.00022s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 3.40 seconds

So, is everything already working the way I want it to?


Solution 1:

In the OpenVPN server configuration file, you will find the following directive:

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client

By default this directive is commented out, so this works the way you want. You may check the configuration file if you wish to be sure.

Related

Is it possible in Chrome to have within one window, different tabs where each tab is from a different profile? If so, how?
Recoverability of Windows 10 storage pool (Software RAID 5)
How to Create CRON Jobs that Require SUDO Permissions
Show deleted emails in Office 2013 conversation view
I want the logo on my master slide to sit in front of objects on my slides
Logging into a hidden user account on Windows 10
Error with "brew install openblas" in macOS
Powershell Outlook e-mail, attachements, subject
Investigating Unifi UAC AP Lite errors on Wifi interfaces
How to read excel using Powershell
Copy a file to all computers in LAN network with Windows CMD
Download .iso files faster