Is it possible to allow a machine on openvpn to connect to only one server on the network?
I have an OpenVPN server which is already functioning properly and allowing people to work on our servers. There's a new project which requires me to allow access to the network and into one specific server within the network for a group of out-sourced coders. I'd like to allow them to connect only to one development server which resides on the network but also i'd like to know that they are unable to connect to any other servers on the network. Is that possible? How?
That's my server.conf
file:
ca ca.crt
cert server.crt
comp-lzo
dev tun
dh dh1024.pem
group nobody
ifconfig-pool-persist ipp.txt
keepalive 10 120
key server.key # This file should be kept secret
persist-key
persist-tun
port 1194
proto tcp
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
push "route 10.1.X.0 255.255.255.0"
push "route 192.168.X.0 255.255.255.0"
push "route 192.168.Y.0 255.255.255.0"
server 192.168.Y.0 255.255.255.0
status openvpn-status.log
user nobody
verb 3
What shall I add? Will it affect the users which are already connected? Can it cause any issues to the users which are already connecting to this server?
As MealstroM says, this is possible. The full procedure is well-documented in the relevant section of the OpenVPN HOWTO, but the short summary of the procedure is:
Configure the OpenVPN server to distinguish between the regular users and the "captive" users (those who are to be allowed access only to certain machines) based on the CNs embedded in their respective certificates
Having so made that distinction, configure OpenVPN to allocate VPN addresses from one block of VPN addresses to the regular users, and from another block to the captive users
Having so distinguished between privileged and unprivileged traffic at layer 3, write appropriate
iptables
rules to permit only the desired traffic from the captive user netblock.
You ask "will it affect the users which are already connected". If you mean in the short term, then yes, as this will require a server restart that will disconnect everyone; if you mean in the longer term, then no, the existing users shouldn't need any reconfiguration or changes. All these changes are server-side.
yes, that possible. You should use peer-to-peer openvpn architecture and use "push routes" on openvpn server.
make sure you dont use "client-to-client" option.