Setup:
I have my PiVPN installed after PiHole to work together during the installation process.
I have a Unifi router (USG) that has created a number of subnetworks/vlans. My Pi on the native lan created by the USG.
I've connected fine without a ccd profile and with. I've setup a static IP that works fine (Android over Data)
Issue:
In both instances, ccd profile or not, I can ping just about everything. I want to restrict access to specific vlans/subnets when connected to VPN remotely. Funny thing is that I can reach about everything except 1 subnet/vlan. OR, I want to just push the clients onto a specifically created vlan created by USG and just do the appropriate FW rules to isolate - whichever works.
My issue is a little bit different with other _similar_ issues in that I have no problem accessing the lan while the ones I've seen relatively to mine cannot.
Yes / These describe the opposite problem I am having.
pivpn debug<!-- Please paste the output of `pivpn debug` between the backticks, don't forget to substitute your public IP address if you don't want the world to know it -->
::: Generating Debug Output
:::: PiVPN debug ::::
=============================================
:::: Latest commit ::::
commit 4e8d4dfd8ef01e49f3137d5fc5a2afa14a465e47
Author: Orazio <[email protected]>
Date: Tue Apr 7 13:45:43 2020 +0200
Merge pull request #1000 from psgoundar/pivpn
Updated listOVPN to Include Expiration Dates
=============================================
:::: Installation settings ::::
PLAT=Raspbian
OSCN=buster
USING_UFW=0
IPv4dev=eth0
IPv4addr=10.80.1.14/24
IPv4gw=10.80.1.1
install_user=pi
install_home=/home/pi
VPN=openvpn
pivpnPROTO=udp
pivpnPORT=11948
pivpnDNS1=10.8.0.1
pivpnDNS2=
pivpnSEARCHDOMAIN=
pivpnHOST=REDACTED
TWO_POINT_FOUR=1
pivpnENCRYPT=384
USE_PREDEFINED_DH_PARAM=0
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
pivpnDEV=tun0
pivpnNET=10.8.0.0
subnetClass=24
UNATTUPG=1
INSTALLED_PACKAGES=()
HELP_SHOWN=1
=============================================
:::: Server configuration shown below ::::
dev tun
proto udp
port 11948
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/REDACTED_a943f043-e0e1-483b-b656-69c82705f48f.crt
key /etc/openvpn/easy-rsa/pki/private/REDACTED_a943f043-e0e1-483b-b656-69c82705f48f.key
dh none
ecdh-curve secp384r1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "route 10.80.70.1"
push "dhcp-option DNS 10.80.70.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 4
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
=============================================
:::: Client template file shown below ::::
client
dev tun
proto udp
remote REDACTED 11948
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name REDACTED_a943f043-e0e1-483b-b656-69c82705f48f name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
=============================================
:::: Recursive list of files in ::::
::: /etc/openvpn/easy-rsa/pki shows below :::
/etc/openvpn/easy-rsa/pki/:
ca.crt
crl.pem
Default.txt
ecparams
Employee.ovpn
extensions.temp
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
issued
openssl-easyrsa.cnf
private
renewed
revoked
safessl-easyrsa.cnf
serial
serial.old
ta.key
/etc/openvpn/easy-rsa/pki/ecparams:
secp384r1.pem
/etc/openvpn/easy-rsa/pki/issued:
Employee.crt
REDACTED_a943f043-e0e1-483b-b656-69c82705f48f.crt
/etc/openvpn/easy-rsa/pki/private:
ca.key
Employee.key
REDACTED_a943f043-e0e1-483b-b656-69c82705f48f.key
/etc/openvpn/easy-rsa/pki/renewed:
private_by_serial
reqs_by_serial
/etc/openvpn/easy-rsa/pki/renewed/private_by_serial:
/etc/openvpn/easy-rsa/pki/renewed/reqs_by_serial:
/etc/openvpn/easy-rsa/pki/revoked:
private_by_serial
reqs_by_serial
/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:
/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:
=============================================
:::: Self check ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled (it will automatically start on reboot)
:: [OK] OpenVPN is listening on port 11948/udp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://github.com/pivpn/pivpn/wiki/FAQ
=============================================
:::: Snippet of the server log ::::
Apr 14 08:26:55 pi ovpn-server[9639]: REDACTED:2490 peer
-rw-r--r-- 1 root root 104 Apr 14 08:18 Employee
ifconfig-push 10.8.0.5 255.255.255.0
iroute 10.80.70.1 255.255.255.192
route 10.80.70.1 255.255.255.192
iptables -t nat -LChain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.8.0.0/24 anywhere /* openvpn-nat-rule */
MASQUERADE all -- 10.9.0.0/24 anywhere
MASQUERADE all -- 10.8.0.0/24 anywhere
pivpn -c::: Certificate Status List :::
Status Name Expiration
Valid pi Apr 11 2030
Valid Employee Mar 29 2023
Created Post on Pi Forums - Admin Directed me here
Expanding Scope of Additional Machines: https://openvpn.net/community-resources/expanding-the-scope-of-the-vpn-to-include-additional-machines-on-either-the-client-or-server-subnet/
Client Specific Rules using CCD: https://openvpn.net/community-resources/how-to/#configuring-client-specific-rules-and-access-policies
Drop the traffic to a certain IP range via iptables.
iptables -I FORWARD -i tun0 -o eth0 -d 10.99.99.0/24 -j DROP
Assuming 10.99.99.0/24 is the range you want to forbid access to.
@orazioedoardo You're a beautiful being - that worked for my noob a$$.
One additional questionm, how would I forward/drop specific ccd's to certain subnets? I'm assuming tun0 is global for all ccd profiles.
i.e.
Employee - certain set of forwarding rules
Another Class - another certain set of forwarding rules
@ilovelobster You could remove push "redirect-gateway def1" (or any other push route) in the client config and set specific routes in the CCD profile.
–route network/IP [netmask] [gateway] [metric]
Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close.This option is intended as a convenience proxy for the route(8) shell command, while at the same time providing portable semantics across OpenVPN’s platform space. From https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4:netmask default — 255.255.255.255 gateway default — taken from –route-gateway or the second parameter to –ifconfig when –dev tun is specified. metric default — taken from –route-metric otherwise 0.
However note that clients can simply add additional routes to a subnet by themselves, so if you want to enforce the rules a bit much, you should deny access using iptables on the server.
Thanks @orazioedoardo fixed.
Most helpful comment
Drop the traffic to a certain IP range via iptables.
iptables -I FORWARD -i tun0 -o eth0 -d 10.99.99.0/24 -j DROPAssuming
10.99.99.0/24is the range you want to forbid access to.