Is it possible to allow a machine on openvpn to connect to only one server on the network?

linux openvpn

I have an OpenVPN server which is already functioning properly and allowing people to work on our servers. There's a new project which requires me to allow access to the network and into one specific server within the network for a group of out-sourced coders. I'd like to allow them to connect only to one development server which resides on the network but also i'd like to know that they are unable to connect to any other servers on the network. Is that possible? How?

That's my server.conf file:

ca ca.crt
cert server.crt
comp-lzo
dev tun
dh dh1024.pem
group nobody
ifconfig-pool-persist ipp.txt
keepalive 10 120
key server.key  # This file should be kept secret
persist-key
persist-tun
port 1194
proto tcp
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
push "route 10.1.X.0 255.255.255.0"
push "route 192.168.X.0 255.255.255.0"
push "route 192.168.Y.0 255.255.255.0"
server 192.168.Y.0 255.255.255.0
status openvpn-status.log
user nobody
verb 3

What shall I add? Will it affect the users which are already connected? Can it cause any issues to the users which are already connecting to this server?


As MealstroM says, this is possible. The full procedure is well-documented in the relevant section of the OpenVPN HOWTO, but the short summary of the procedure is:

  1. Configure the OpenVPN server to distinguish between the regular users and the "captive" users (those who are to be allowed access only to certain machines) based on the CNs embedded in their respective certificates

  2. Having so made that distinction, configure OpenVPN to allocate VPN addresses from one block of VPN addresses to the regular users, and from another block to the captive users

  3. Having so distinguished between privileged and unprivileged traffic at layer 3, write appropriate iptables rules to permit only the desired traffic from the captive user netblock.

You ask "will it affect the users which are already connected". If you mean in the short term, then yes, as this will require a server restart that will disconnect everyone; if you mean in the longer term, then no, the existing users shouldn't need any reconfiguration or changes. All these changes are server-side.


yes, that possible. You should use peer-to-peer openvpn architecture and use "push routes" on openvpn server.

make sure you dont use "client-to-client" option.

Related

Samba default file creation mask calculation
Delaying munin notifications
How can I pass kernel arguments via PXE to an Ubuntu-like OS installer ISO?
When creating DomainKeys does it matter if I use o=~ or o=-?
Server side antivirus or not?
linux command line find escape question mark
Does LXC container performance depends of host load?
Windows 8.1 clients showing printer offline after reconnecting to the network
How can i manipulate the find command to "find" the directories the "found" file is in?
List current Principals in group Managed Service Accounts
Best parameters for ext4 filesystem for storing virtualbox disk images
Use acl in backend / shrink my config