Community discussions

MikroTik App
 
JohnyB
just joined
Topic Author
Posts: 7
Joined: Thu Mar 21, 2013 11:13 am

How to limit OVPN user access to one server?

Thu Nov 21, 2013 6:35 pm

Hi,

i found previous post: http://forum.mikrotik.com/viewtopic.php?f=14&t=51860 but it not work for me...
When user login mikrotik creates dynamic filters:
/ip firewall filter print dynamic 
Flags: X - disabled, I - invalid, D - dynamic 
 0 D chain=ppp action=jump jump-target=ovpn-filtered-in in-interface=<ovpn-aster001> 

 1 D chain=ppp action=jump jump-target=ovpn-filtered-out out-interface=<ovpn-aster001> 
[admin@MikroTik] > ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=ovpn-filtered-in action=accept dst-address=192.168.1.16 

 1   chain=ovpn-filtered-in action=drop 

 2   chain=ovpn-filtered-out action=drop 

 3   chain=forward action=jump jump-target=ppp 
everything looks fine but it doesn't work. Counters show 0 and user still hava access to all machines in local network.
Will be grateful for any tips.

Best regards
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: How to limit OVPN user access to one server?

Thu Nov 21, 2013 7:50 pm

you need to create a binding ovpn server in your ppp interface (with the proper user info for that user).
You can then use that interface for your routing rules.
 
JohnyB
just joined
Topic Author
Posts: 7
Joined: Thu Mar 21, 2013 11:13 am

Re: How to limit OVPN user access to one server?

Thu Nov 21, 2013 10:05 pm

I'm newbie to mikrotik routers, can you explain what you mean by: "create a binding ovpn server in your ppp interface"?
When ovpn user login then mikrotik create interface: ovpn-aster001 and proper dynamic filter rules:
/ip firewall filter print dynamic 
Flags: X - disabled, I - invalid, D - dynamic 
 0 D chain=ppp action=jump jump-target=ovpn-filtered-in in-interface=<ovpn-aster001> 

 1 D chain=ppp action=jump jump-target=ovpn-filtered-out out-interface=<ovpn-aster001> 
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: How to limit OVPN user access to one server?

Thu Nov 21, 2013 10:44 pm

When a user log in it will create a temporary interface, you can not use this one with filter rules as this interface is temporary (unless you do it dynamically).
That's why you want to 'reserve' an interface name for your client connection by creating a binding ones.

In winbox: ppp/interface add new ovpn server binding, fill out the name of the interface you want and the user (who is in your secret list) it will belong to.
Now you can use this new named interface for your rules.

via terminal that should be something like /interface ovpn-server add name=ovpnclient1 user=client1
now create the rules for interface ovpnclient1

Who is online

Users browsing this forum: No registered users and 12 guests