Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Per user routing rules #425

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Per user routing rules #425

wants to merge 4 commits into from

Conversation

rca
Copy link
Contributor

@rca rca commented Oct 8, 2018

This branch allows per-user routing such that access to hosts behind the VPN can be controlled on a per-user basis.

@rca
Add python3
ad1abf2
@rca
Add declarative-iptables package
9027ab3
@rca
Add client-connect script
abf1b40 
This script will add iptables routing rules per client connection.  By default the user will not be able to route to anything.
@rca
Add docs
b535250
@netcraker01
Copy link

Hello im trying to improve this user routing and I get this error when a client is connecting:

`Failed to list table names in /proc/net/ip_tables_names: Permission denied

Traceback (most recent call last):

File "/usr/local/bin/client-connect", line 63, in 

main()

File "/usr/local/bin/client-connect", line 59, in main

plan.execute()

File "/usr/lib/python3.7/site-packages/iptables/logic.py", line 41, in execute

tables = self.get_current_tables()

File "/usr/lib/python3.7/site-packages/iptables/logic.py", line 57, in get_current_tables

_, stdout, _ = run_command(command)

File "/usr/lib/python3.7/site-packages/iptables/logic.py", line 21, in run_command

raise CommandError('command={} failed with status={}'.format(command, status))

iptables.logic.CommandError: command=/sbin/iptables-save failed with status=1`

Thanks!

@rca
Copy link
Contributor Author

rca commented Dec 30, 2019

Hey @netcraker01,

This is due to the openvpn server running as user nobody. I updated my /etc/openvpn/openvpn.conf like so:

# in order for the script to manage iptables, it cannot be nobody
#user nobody
#group nogroup

and script-security needs to be set in order to allow scripts to run:

# per-user route configurations
script-security 2
client-connect /usr/local/bin/client-connect

@netcraker01
Copy link

Hey @netcraker01,

This is due to the openvpn server running as user nobody. I updated my /etc/openvpn/openvpn.conf like so:

# in order for the script to manage iptables, it cannot be nobody
#user nobody
#group nogroup

and script-security needs to be set in order to allow scripts to run:

# per-user route configurations
script-security 2
client-connect /usr/local/bin/client-connect

Great now is up! Thank you !!,

Im trying to do something I have 3 clients 2 of them have same ip subnet (192.168.250.0) and the other one needs to conect to client 1 subnet or client 2 subnet by demand.
I hope that with this rules , I can create a pair of clients that only connect between they.
Now without this rules the last one in connect to the server is the only one avaiable to connect to the other client.
I will try more thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rca @netcraker01