我有openvpn服务器后面的三个段:DMZ( 192.168.1.x ),Dev( 192.168.2.x )和PROD( 192.168.3.x )。 有两个用户组:一个组可以连接到openvpn的所有段,而我想限制其他用户到Dev段。 这样做的最好方法是什么?
Openvpn用户在10.10.11.xnetworking中分配IP地址。
要做到这一点,最好的办法是给每个组自己的/ 24子网或打破你的10.10.11.0/24,并做一些iptables魔术来阻止dev用户。
但是我认为如果你的networking支持它,最好的办法是用vlan标记每个子网。 给开发者用户自己的/ 24在openvpn,然后一些防火墙规则,只允许dev vlan能够连接到某些其他的lans。
对于openvpn,有一个叫做--learn-address的开关,可以用来生成规则。
在这个脚本中,你基本上可以检查CN并为IP添加/删除iptables规则。
摘自openvpn MAN:
--learn-address cmd Run script or shell command cmd to validate client virtual addresses or routes. cmd will be executed with 3 parameters: [1] operation -- "add", "update", or "delete" based on whether or not the address is being added to, modified, or deleted from OpenVPN's internal routing table. [2] address -- The address being learned or unlearned. This can be an IPv4 address such as "198.162.10.14", an IPv4 subnet such as "198.162.10.0/24", or an ethernet MAC address (when --dev tap is being used) such as "00:FF:01:02:03:04". [3] common name -- The common name on the certificate associated with the client linked to this address. Only present for "add" or "update" operations, not "delete". On "add" or "update" methods, if the script returns a failure code (non-zero), OpenVPN will reject the address and will not modify its internal routing table. Normally, the cmd script will use the information provided above to set appropriate firewall entries on the VPN TUN/TAP inter‐ face. Since OpenVPN provides the association between virtual IP or MAC address and the client's authenticated common name, it allows a user-defined script to configure firewall access poli‐ cies with regard to the client's high-level common name, rather than the low level client virtual addresses.