how to limit a client to limited number of internal ip addresses

[asdffdsa6131]

hello and thanks for veeampn,

for clients, when they connect to veeampn, they have access to entire subnet of the veeampn server, such as 192.168.1.0/24.

how can i limit clients to a list of local ip addresses such as 192.168.1.5 and 192.168.1.9

thanks in advance

[AVasilyev]

Hi David,

If you want to limit access in your site for all clients from either another site or connected as endpoint clients you will need to manually alternate firewall setting
Please ssh to your site appliance (with username and password you set)

By default all IPs are allowed by the following record
-A VeeamHUB_forward -i wg.veeampn -m state --state RELATED,ESTABLISHED -m comment --comment VeeamHUB_forward_site_back -j ACCEPT

Please note - the following commands should be issued in the specified sequence only

To allow only your selected IPs we need to override the default by putting prohibiting record before all allowing (ACCEPT) by running the following command
sudo iptables -I VeeamHUB_forward -i wg.veeampn -d 192.168.1.0/24 -j DROP
then we should allow two desired IPs by following commands
sudo iptables -I VeeamHUB_forward -i wg.veeampn -d 192.168.1.9/32 -j ACCEPT
sudo iptables -I VeeamHUB_forward -i wg.veeampn -d 192.168.1.5/32 -j ACCEPT


you can check the state of your forwarding rules by running sudo iptables -vS VeeamHUB_forward
If you need to restore the default behavior please delete added rules by the following commands
sudo iptables -D VeeamHUB_forward -i wg.veeampn -d 192.168.1.0/24 -j DROP
sudo iptables -D VeeamHUB_forward -i wg.veeampn -d 192.168.1.9/32 -j ACCEPT
sudo iptables -D VeeamHUB_forward -i wg.veeampn -d 192.168.1.5/32 -j ACCEPT

Please note: the solution will not survive the restart of the appliance.
Please confirm if this is something you were looking for. I'll help you to make these rules permanent.

Thank you,
Alexey

[asdffdsa6131]

my question was not clear but thanks much for taking the time to answer it.

in the end, i figured out that i wanted but perhaps there is another way to do it you might know.
and perhaps other people can learn from your post and what i am about to write.

as i understand openvpn and the way veeampn uses it.
if a client connects to the hub then veeampn pushes routes to the client for:
1. the entire subnet of the hub
2. all the subnets for all site-to-site

what i want to do is change that so the openvpn client has no routes at all.
i would have to manually add each and every route.

this is how i did it.
1. i use the program viscosity to manage my openvpn connections.
2. viscosity, can add commands when connecting to a vpn
3. i added the command route-nopull
4. using .cmd batch file, i used the route command to add routes

if you know another way to do this, please share.

[sdhuk]

Hi,

I'm trying to do similar to the above, but also add some additional rules so that clients can't contact each other.

I've set up VeeamPN and have a number of individual computers at different sites connect to it via OpenVPN. When these computers are connected to it I only want them to be able to access certain local IP addresses (as above), but also don't want them to be able to contact each of the other. As it stands when they are connected to VeeamPN they can access all of the other computers connected as well.

@AVasilyev can you help with rules for that, please? And also tell me how to make all of the rules permanent. Thanks!

[elliot15]

So is it possible to add those additional rules or are we simply restricted to just limiting the IP address range?