OpenVPN Server - restrict remote clients to jail access only

[Jack Naisbett]

Hi,

I did search and found this thread: https://forums.freenas.org/index.ph...-access-to-remote-hosts-via-nat.22873/page-18

But that seems to discuss allowing access to the entire LAN from a remote host, rather than just the OpenVPN server jail - unless I'm misunderstanding.

How would I go about creating an OpenVPN Server jail that clients can access and only access that jail? The jail would also be running a samba share, if that makes a difference.

Thanks,

Jack

 

[Jack Naisbett]

Would I simply do this, with the IP being the IP of the jail running OpenVPN server? Or if I don't push a route will that be the same?

# Push the route to your local subnet, change address/mask
# as needed
push "route 192.168.0.98 255.255.255.255"

 

[zoomzoom]

You would configure a VPN server, such as OpenVPN, then restrict traffic to the jail via a firewall, such as iptables. The firewall, combined with the user/group access restrictions, will limit the access to only the CIFS port on the NAS Server.

IPs & Subnets

• OpenVPN Subnet: 10.10.1.0/28
  • VPN Port: 2000
• Remote Subnet: 192.168.3.0/27
• NAS Server IP: 192.168.1.20
  • CIFS Port: 445

While the setup steps differ from BSD to OpenWrt, I wrote this wiki on OpenWrt that you may find helpful.

• There are links at the bottom of that wiki that I'd also recommend reading, especially OpenVPN's How To.

I would highly recommend using OpenSSL and the openssl.cnf linked to in my signature to create your CA and certs [rather than using Easy-RSA]. The openssl.cnf provides better security than Easy-RSA, with all the commands you'll need to issue contained at the bottom of the cnf file (I believe they start at line 321).

For example, this is one of my OpenWrt OpenVPN configs and the accompanying firewall rules to firewall traffic from the remote subnet to only the CIFS shares they needed access to

OpenVPN Server Config

Code:

#--------------------------------------------------------------------
                    ##----- NAS Server -----##
#--------------------------------------------------------------------


config openvpn 'NASserver'
    option  enabled             1

#--- NAS Server Protocol ---#

    option  dev                 tun
    option  dev                 tun1
    option  topology            subnet
    option  proto               udp
    option  port                2000

#--- NAS Server Routes ---#

    option  server              '10.10.1.0 255.255.255.240'
    option  route               '192.168.3.0 255.255.255.224'

#--- NAS Server Client Config ---#

#   option  ccd_exclusive               1
    option  ifconfig_pool_persist       '/etc/openvpn/clients/nas/ipp.txt'
    option  client_config_dir           '/etc/openvpn/clients/nas'
    option  ifconfig                    '10.10.1.1 255.255.255.240'

#--- NAS Server Pushed Routes ---#

    list    push                'route 192.168.3.0 255.255.255.224'
    list    push                'dhcp-option    DNS 192.168.3.1'
    list    push                'dhcp-option    WINS 192.168.3.1'
    list    push                'dhcp-option    DNS 208.67.222.222'
    list    push                'dhcp-option    DNS 208.67.220.220'
    list    push                'dhcp-option    NTP 129.6.15.30'

#--- NAS Server Encryption ---#

    option  cipher              'AES-256-CBC'
    option  dh                  '/etc/openvpn/nasVPN/dh2048.pem'
    option  pkcs12              '/etc/openvpn/nasVPN/NASserver.p12'
    option  tls_auth            '/etc/openvpn/nasVPN/ta.key 0'

#--- NAS Server Logging ---#

    option  log                 '/tmp/openvpn-nas.log'
    option  status              '/tmp/openvpn-nas-status.log'
    option  verb                7

#--- NAS Server Connection Options ---#

    option  keepalive           '10 120'
    option  comp_lzo            yes

#--- NAS Server Connection Reliability ---#

#   option  client_to_client    1
    option  persist_key         1
    option  persist_tun         1

#--- NAS Server Connection Speed ---#

    option  sndbuf              393216
    option  rcvbuf              393216
    option  fragment            0
    option  mssfix              0
    option  tun_mtu             24000

#--- NAS Server Pushed Buffers ---#

    list    push                'sndbuf 393216'
    list    push                'rcvbuf 393216'

#--- NAS Server Permissions ---#

    option  user                nobody
    option  group               nogroup
#   option  chroot              '/etc/openvpn/jail/nasserver'

• To further ensure only trusted clients connect, configure the ccd_eclusive options.
  • Currently, the ccd option is commented out, as it requires some minor setup before the option can be utilized. The OpenVPN HowTo linked to at the bottom of the OpenWrt wiki discusses ccd, as does the man page.
• The chroot option is also commented out, as this requires configuration of a secure chroot for openvpn to reside within and run from. It's highly recommended to chroot any VPN server, however at the very least, ensure the user and group are set to the respectable equivalency of nobody/nogroup.
• For BSD/*nix, most (if not all) underscores should be converted to dashes (i.e. " - ", not " _ ")

IPtables Rules

• In the last rule, option src nas refers to the VPN interface, of which is named "nas".

Code:

config rule
    option  target      ACCEPT
    option  family      ipv4
    option  proto       'tcp udp'
    option  src         *
    option  dest_port   2000
    option  name        'Allow Any -> VPN1'

config rule
    option  target      ACCEPT
    option  family      ipv4
    option  proto       'tcp udp'
    option  src         *
    option  dest        lan
    option  src_ip      10.10.1.0/28
    option  dest_ip     192.168.1.20
    option  dest_port   445
    option  name        'Allow Remote -> NAS Server'

config rule
    option  target      DROP
    option  family      ipv4
    option  proto       all
    option  src         *
    option  src_ip      10.10.1.0/28
    option  name        'Block NAS [subnet] -> WRT1900'

config rule
    option  target      DROP
    option  family      ipv4
    option  proto       all
    option  src         *
    option  dest        *
    option  src_ip      10.10.1.0/28
    option  name        'Block NAS [subnet] -> Any'

config rule
    option  target      DROP
    option  family      ipv4
    option  proto       all
    option  src         nas
    option  name        'Block NAS -> Any'

• Here's a screenshot for visual representation of the rules [yellow]
  • The rules don't match 1:1, as the iptables rules require dropping both inbound and forwarded traffic since the VPN is it's own interface; however, Sophos utilizes a more complex setup, which results in only needing 1 drop rule.
• Provided you configure the ccd exclusive options in the server config, you could also include specific rules for the specific ccd client IPs you've assigned.

 

[Jack Naisbett]

OK will give it a go!

 

[Jack Naisbett]

Sorry, lines 33-36 of the OpenVPN, are these needed/what do they do?

I don't suppose you could point me how I convert the iptables rules to ipfw could you?

 

[zoomzoom]

Forgot to mention, provided you utilize my openssl.cnf from my GitHub to generate your CAs and certs, and utilize remote-cert-ku f8 in the client config, I don't believe it's necessary to generate a TLS key for the OpenVPN server (openvpn --genkey --secret ./ta.key), however I could be misremembering. You'll know from the connection log if you do or not, as it will throw a warning stating something about TLS verification.

Sorry, lines 33-36 of the OpenVPN, are these needed/what do they do?

I don't suppose you could point me how I convert the iptables rules to ipfw could you?

They're not required... WINS is for NetBIOS, next two are OpenDNS, last is NIST's NTP server.

I don't, as I've never used ipfw, however many users on here have who may be able to help. I would also try researching on Google.

 

[zoomzoom]

I don't suppose you could point me how I convert the iptables rules to ipfw could you?

I'm not sure if seeing the actual iptables commands will help, but figured I'd post fw3's output just in case:

• -m id --id 0x66773300 is the LAN interface (for all intents and purposes of this example, the VPN interface "nas")
  • Please keep in mind, normally there should be more than 1 interface specified in many of the rules; however, since I've configured my WRT1900AC as a smart switch, it only has one interface (LAN).
    • The two #1 rules would allow input from any interface to establish the VPN connection
    • The two #2 rules would allow forwarding from the VPN interface "nas" to the LAN interface
    • The #3 rule blocks all input traffic from the VPN interface to the LAN interface
    • The #4 rule blocks all forwarded requests from the VPN interface to all other interfaces/networks managed by the router

1. iptables -t filter -A INPUT -p tcp -m id --id 0x66773300 -m tcp --dport 2000 -m comment --comment "Allow Any -> VPN1" -j ACCEPT
   iptables -t filter -A INPUT -p udp -m id --id 0x66773300 -m udp --dport 2000 -m comment --comment "Allow Any -> VPN1" -j ACCEPT
   
   
2. iptables -t filter -A FORWARD -p tcp -s 10.10.1.0/255.255.255.240 -d 192.168.1.20/255.255.255.255 -m id --id 0x66773300 -m tcp --dport 445 -m comment --comment "Allow Remote -> NAS Server" -j zone_lan_dest_ACCEPT
   iptables -t filter -A FORWARD -p udp -s 10.10.1.0/255.255.255.240 -d 192.168.1.20/255.255.255.255 -m id --id 0x66773300 -m udp --dport 445 -m comment --comment "Allow Remote -> NAS Server" -j zone_lan_dest_ACCEPT
   
   
3. iptables -t filter -A INPUT -s 10.10.1.0/255.255.255.240 -m id --id 0x66773300 -m comment --comment "Block NAS [subnet] -> WRT1900" -j DROP
   
   
4. iptables -t filter -A FORWARD -s 10.10.1.0/255.255.255.240 -m id --id 0x66773300 -m comment --comment "Block NAS [subnet] -> Any" -j DROP
   
   
5. I don't have a printout of this rule, as I no longer utilize OpenWrt for my VPN since Sophos runs on 8 cores and 16GB or RAM, speeding up encryption/decryption exponentially; I currently use my WRT1900AC essentially as a smart switch.

 

[Jack Naisbett]

Thanks, I have no idea how ipfw works but hopefully someone here can help!

 

[zoomzoom]

Thanks, I have no idea how ipfw works but hopefully someone here can help!

You should be able to find some tutorials/wikis online via Google. I would try searching the following on Google (copy and paste into search bar exactly as written):

• "freebsd"+"openvpn"+"wiki" OR "tutorial"
• "freebsd"+"openvpn"+"ipfw"
• "freebsd"+"openvpn"+"wiki" OR "tutorial"+"ipfw"
• "freebsd"+"openvpn"+"wiki" OR "tutorial"+"ipfw"+"wiki" OR "tutorial"

As OpenWrt and BSD configs differ slightly, I would recommend having a BSD tutorial on screen as you're configuring things. This will help to catch any differences in configurations early in the process, making troubleshooting later easier and more convenient

• For example, in BSD configs, "option" & "list" aren't used