0

I expose here my project. I have a server running a ubuntu.

The server is set up with multiple VPN connection (tun0, tun1, tun2 ect) I use this to launch my VPNs: sudo systemctl start openvpn-client@The_VPN_I_Want.service I want to keep one user (1000) and RDP acces on eth0.

And route users through tunX interfaces. For example user 1002 on tun0, user 1003 on tun1.

I've restart my rules from 0.

So if i want to block the traffic (out) from eth0 for user 1002 i doing this:

sudo iptables -I OUTPUT -o eth0 -m owner --uid-owner 1002 -j REJECT

And if i want to allow the traffic (out) from tun0 i doing this:

sudo iptables -I OUTPUT -o tun0 -m owner --uid-owner 1002 -j ACCEPT

I'm right ? I'm not suppose to have acces with user 1002 from eth0 ?

From user 1002 session when i do a wget https://wtfismyip.com/text My public ip is return not the VPN ip.

I'm little confuse right now :3

[EDIT] I'm dumb, my interface was ens33 not eth0 so i fix this and now i use this rules:

# Mark traffic user
iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1002 -j MARK --set-mark 10
# Source 2 VPN address
iptables -t nat -A POSTROUTING -o tun0 -m mark --mark 10 -j MASQUERADE
# Forward 2 tun0
iptables -P FORWARD ACCEPT
iptables -A FORWARD -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

So my user 1002 don't pass through tun0 because of the default route i think:

default via 192.168.0.254 dev eth0 proto dhcp metric 100
169.254.0.0/16 dev eth0 scope link metric 1000
172.18.11.1 via 172.18.11.37 dev tun0
172.18.11.37 dev tun0 proto kernel scope link src 172.18.11.38
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.117 metric 100
Improve this question
2
  • 1
    I’m not entirely sure what your firewall strategy is supposed to be. You have many partly redundant rules related to connection tracking that could be replaced by one. You have output rules but you never drop anything. Your VPN-per-user thing is also rather confusing. Please explain your (abstract) goals in much greater detail.
    – Daniel B
    Commented Feb 5, 2021 at 7:39
  • I'd like to permit the user 1000 to use eth0 and port 3389 (or a total use of the eth0 interface) but not for the others user. The others users need to pass through there VPN. Like user 1002 tun0, user 1003 tun1 etc. I'm sorry i've never try this before and i works on this since a week non stop, i'm little confuse :/
    – EuReKa-LoS
    Commented Feb 6, 2021 at 16:18

1 Answer 1

Reset to default
0

So i've working non stop on this since without succes but i've found something.

On this Thread https://unix.stackexchange.com/questions/516311/how-to-restrict-openvpn-clients-connection-to-single-system-user?newreg=285e883cf62241ce992943e789738313

He use the same VPN service as me (NordVPN), i think the nord VPN client configuration block something.

When i run myvpn.sh the connection succed and the interface tunX is up.

But i don't know how to pass the traffic from user into the VPN / virtual interface. This is the Nord VPN conf

client
dev tun2
proto udp
remote 31.171.152.11 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
#Ping OK no IP change without
#redirect-gateway
comp-lzo no
#pull-filter ignore redirect-gateway
remote-cert-tls server
route-nopull
auth-user-pass /etc/openvpn/client/nvpn.txt
verb 3
pull
fast-io
cipher AES-256-CBC
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .