OpenVPN服务器中若配置了client-to-client
, 终端之间是无限制互通的。
配置文档中如此描述:
1 | # Uncomment this directive to allow different |
如果想要指定特定终端能互通,特定不能通,不能打开这个选项。
首先要开启配置topology subnet
。
此时服务器的tun0上是可以看到终端所有数据包了,即终端数据会进入服务器的内核IP Stack。
1 | cat >> /etc/sysctl.conf <<EOF |
最后通过iptables的FORWARD规则,屏蔽特定不允许互通的网段。即可实现。
1 | iptables -A FORWARD -i tun0 -o tun0 -s 10.15.100.0/24 -d 10.15.100.0/24 -j DROP |
原理摘自Stackoverflow一篇帖子,摘抄如下。
If client-to-client
is enabled, the VPN server forwards client-to-client packets internally without sending them to the IP layer of the host (i.e. to the kernel). The host networking stack does not see those packets at all.
1 | .-------------------. |
If client-to-client is disabled, the packets from a client to another client go through the host IP layer (iptables, routing table, etc.) of the machine hosting the VPN server: if IP forwarding is enabled, the host might forward the packet (using its routing table) again to the TUN interface and the VPN daemon will forward the packet to the correct client inside the tunnel.
1 | .-------------------. |
In this case (client-to-client disabled), you can block the client-to-client packets using iptables:
1 | iptables -A FORWARD -i tun0 -o tun0 -j DROP |
where tun0 is your VPN interface.