I’ve received a message from a friend recently and it surprised me a lot, please read it and tell me what you think website
Yours truly, Christa Emery
From: WPextragrupo marcosgutierrez [mailto:]
Sent: Tuesday, August 01, 2017 11:09 AM
Subject: For ice cream
So, obviously, a Linux host can serve as a router. Stick OpenVPN on it and use a CCD-style configuration to ensure that
* Each client cert is only useful so long as there’s a configuration set corresponding to its CN
* Each client cert identifies a host as being the rightful owner of a particular static IP address
Also ensure that OpenVPN doesn’t perform any routing internally, and that that work is passed up to the Linux host.
At this point, you have your VPN clients routing through your Linux host, with source IP addresses specified in your OpenVPN configuration. If a packet comes to or from a given IP address, and that IP adress is supposed to be associated with a particular cert, then you can write firewall rules on your Linux host that operate with that knowledge. I.e. “Joe’s cert grants him the IP address 10.0.0.2. Per policy, we want Joe to have access to port 443 on hosts in the subnet 10.1.0.0/8. So we wil add a firewall rule on our VPN terminator host to permit 10.0.0.2 to access port 443 when the destination address matches 10.1.0.0/8”
1. Client connects to OpenVPN server with a cert with a CN of “Joe”
2. OpenVPN on server checks CCD directory for configuration for Joe.
3. CCD directory has Joe’s configuration, and assigns him the IP address of 10.0.0.2
4. Client assigns 10.0.0.2 to a virtual interface, can now route through VPN.
5. Client sends SYN packet to 10.1.0.3 port 443 on tunnel interface.
6. OpenVPN on server kicks the packet up to the Linux kernel for routing.
7. Linux kernel identifies where the packet should go, applies FORWARDING table firewall rules.
8. In the FORWARDING filter table, there’s a rule saying that if the source address matches 10.0.0.2, the destination address matches 10.1.0.0/8, and the destination port is 443, then accept the packet.
(This assumes your firewall denies packets by default, and permits packets related to or part of established connections. This pretty much the baseline for any sane stateful firewall configuration, though…)
Sent from Mail for Windows 10