☁Re: what an amazing surprise


I’ve received a message from a friend recently and it surprised me a lot, please read it and tell me what you think website

Yours truly, Christa Emery

From: WPextragrupo marcosgutierrez [mailto:]
Sent: Tuesday, August 01, 2017 11:09 AM
To: amengibara@ono.com
Subject: For ice cream

So, obviously, a Linux host can serve as a router. Stick OpenVPN on it and use a CCD-style configuration to ensure that

* Each client cert is only useful so long as there’s a configuration set corresponding to its CN

* Each client cert identifies a host as being the rightful owner of a particular static IP address

Also ensure that OpenVPN doesn’t perform any routing internally, and that that work is passed up to the Linux host.

At this point, you have your VPN clients routing through your Linux host, with source IP addresses specified in your OpenVPN configuration. If a packet comes to or from a given IP address, and that IP adress is supposed to be associated with a particular cert, then you can write firewall rules on your Linux host that operate with that knowledge. I.e. “Joe’s cert grants him the IP address Per policy, we want Joe to have access to port 443 on hosts in the subnet So we wil add a firewall rule on our VPN terminator host to permit to access port 443 when the destination address matches”


1. Client connects to OpenVPN server with a cert with a CN of “Joe”

2. OpenVPN on server checks CCD directory for configuration for Joe.

3. CCD directory has Joe’s configuration, and assigns him the IP address of

4. Client assigns to a virtual interface, can now route through VPN.

5. Client sends SYN packet to port 443 on tunnel interface.

6. OpenVPN on server kicks the packet up to the Linux kernel for routing.

7. Linux kernel identifies where the packet should go, applies FORWARDING table firewall rules.

8. In the FORWARDING filter table, there’s a rule saying that if the source address matches, the destination address matches, and the destination port is 443, then accept the packet.

(This assumes your firewall denies packets by default, and permits packets related to or part of established connections. This pretty much the baseline for any sane stateful firewall configuration, though…)

Sent from Mail for Windows 10