When using restrict-user-to-routes = true option in ocserv.conf, OpenConnect server inserts firewall rules into iptables using the shell script /usr/bin/ocserv-fwwhich will restrict the users traffic through the router explicitly to the routes they are assigned, e.g for the following config block, the ocserv-fw will insert an iptable chain that will only permit traffic to 10.0.95.42/32 and reject the rest
vyos@vyos# show vpn openconnect network-settings client-ip-settings { subnet 10.0.95.20/30 } push-route 10.0.95.42/32
Will result in the following iptables chain (after a user has connected)
Chain FORWARD-ocserv-fw-sslvpn0 (1 references) target prot opt source destination ACCEPT all -- anywhere 10.0.95.42 /* ocserv-fw */ REJECT all -- anywhere anywhere /* ocserv-fw */ reject-with icmp-port-unreachable
However these are ignored, i'm guessing this is due to other rules, a full iptables list is below which is taken while a single user is connected to the VPN. (These are default, no firewall rules have been added using the VyOS CLI)
root@vyos:/home/vyos# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination VYATTA_PRE_FW_IN_HOOK all -- anywhere anywhere VYATTA_POST_FW_IN_HOOK all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* ocserv-fw */ VYATTA_PRE_FW_FWD_HOOK all -- anywhere anywhere VYATTA_POST_FW_FWD_HOOK all -- anywhere anywhere ACCEPT udp -- anywhere dns.google udp dpt:domain /* ocserv-fw */ ACCEPT tcp -- anywhere dns.google tcp dpt:domain state NEW,ESTABLISHED /* ocserv-fw */ FORWARD-ocserv-fw-sslvpn0 all -- anywhere anywhere /* ocserv-fw */ Chain OUTPUT (policy ACCEPT) target prot opt source destination VYATTA_PRE_FW_OUT_HOOK all -- anywhere anywhere VYATTA_POST_FW_OUT_HOOK all -- anywhere anywhere Chain VYATTA_PRE_FW_IN_HOOK (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain VYATTA_PRE_FW_FWD_HOOK (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain VYATTA_PRE_FW_OUT_HOOK (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain VYATTA_POST_FW_IN_HOOK (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain VYATTA_POST_FW_FWD_HOOK (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain VYATTA_POST_FW_OUT_HOOK (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain FORWARD-ocserv-fw-sslvpn0 (1 references) target prot opt source destination ACCEPT all -- anywhere 10.0.95.42 /* ocserv-fw */ REJECT all -- anywhere anywhere /* ocserv-fw */ reject-with icmp-port-unreachable
In this example, when an openconnect client connects, despite the router not pushing the client other routes other than to 10.0.95.42/32 and vyos-fw adding iptables rules to reject traffic by default, the end user can route traffic to other routes through the VyOS router by manually adding routes.
Note that VyOS does not support configuring restrict-user-to-routes via the CLI and this has to be configured either by manually editing ocserv.conf or using per-group/per-user configuration such as in proposed PR https://github.com/vyos/vyos-1x/pull/1783
Steps to replicate (Verified on a fresh 1.3.2 VyOS instance):
- Configure OpenConnect Server as per https://docs.vyos.io/en/equuleus/configuration/vpn/openconnect.html#configuration and ensure you have a user you can connect with
- Add a single push route to OpenConnect server set vpn openconnect network-settings push-route x.x.x.x/x
- Commit and save changes
Steps to test with the OpenConnect client
- Connect to the VPN with the user setup in step 1
- Confirm you can route traffic through the route you setup to push in step 2 to confirm the VPN is working (I just pinged it)
- Manually add a route on your machine to another address that the VyOS router can access and then attempt to route traffic to it and you should have access to other routes despite the ocserv-fw firewall rules added
It would be great to get compatibility between VyOS and OpenConnect route restriction, particularly for the use case of per-user access control. I don't have a good understanding of iptables so I can't offer too much more apart from what I've outlined above. I'm happy to assist with providing more details on request
Thanks