[eduVPN-deploy] Removal of packet filtering for VPN client traffic

[François Kooman]

On 31.10.18 14:32, Jørn Åne wrote:
> I support using routers for firewalling of clients, but I recommend that
> the option to limit traffic *between* clients is kept.  This is
> something that is handled within the server, so an external firewall
> cannot limit this.

Actually, there are two relevant ways to block/allow traffic here:

1. Clients connected to the same OpenVPN process
2. Clients connected to the same profile (still part of the same prefix
as configured in range4/range6

In LC/eduVPN you typically have more than 1 process that makes up a
profile. For example a process listening on udp/1194 and on listening on
tcp/1194. Both those processes split up the range and range6 over those
processes.

Using the OpenVPN server configuration flag --client-to-client one can
allow traffic between clients connected to the same process (same
"broadcast domain").

Without implementing any firewall however, traffic between the various
OpenVPN processes *is* allowed and can only be restricted with firewall
rules.

The `clientToClient` option in vpn-server-api configuration controls
both of this. Setting this to true will allow traffic between clients
connected to the same OpenVPN process and between the OpenVPN processes
belonging to the same profile. Setting this to false will block both
scenarios.

I don't really see any other solution here than to keep this part of the
firewall to prevent client-to-client traffic if traffic between OpenVPN
processes of the same profile also need to be restricted.

Possibly the firewall rules can be simplified though, e.g. block all
traffic with source tun* and destination tun*. However that would make
it impossible for some profiles on the same server to allow
client-to-client communication.

Does anyone have any additional ideas?

Cheers,
François