When using `restrict-user-to-routes = true` option in `ocserv.conf`, OpenConnect server inserts firewall rules into iptables using the shell script `/usr/bin/ocserv-fw`which will restrict the users traffic through the router explicitly to the routes they are assigned, e.g for the following config block, the ocserv-fw will insert an iptable chain that will only permit traffic to `10.0.95.42/32` and reject the rest
```
vyos@vyos# show vpn openconnect network-settings
client-ip-settings {
subnet 10.0.95.20/30
}
push-route 10.0.95.42/32
```
Will result in the following iptables chain
```
Chain FORWARD-ocserv-fw-sslvpn0 (1 references)
target prot opt source destination
ACCEPT all -- anywhere 10.0.95.42 /* ocserv-fw */
REJECT all -- anywhere anywhere /* ocserv-fw */ reject-with icmp-port-unreachable
```
However these are ignored, i'm guessing this is due to other rules, a full iptables list is below. (These are default, no firewall rules have been added using the VyOS CLI)
```
root@vyos:/home/vyos# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
VYATTA_PRE_FW_IN_HOOK all -- anywhere anywhere
VYATTA_POST_FW_IN_HOOK all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* ocserv-fw */
VYATTA_PRE_FW_FWD_HOOK all -- anywhere anywhere
VYATTA_POST_FW_FWD_HOOK all -- anywhere anywhere
ACCEPT udp -- anywhere dns.google udp dpt:domain /* ocserv-fw */
ACCEPT tcp -- anywhere dns.google tcp dpt:domain state NEW,ESTABLISHED /* ocserv-fw */
FORWARD-ocserv-fw-sslvpn0 all -- anywhere anywhere /* ocserv-fw */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
VYATTA_PRE_FW_OUT_HOOK all -- anywhere anywhere
VYATTA_POST_FW_OUT_HOOK all -- anywhere anywhere
Chain VYATTA_PRE_FW_IN_HOOK (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain VYATTA_PRE_FW_FWD_HOOK (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain VYATTA_PRE_FW_OUT_HOOK (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain VYATTA_POST_FW_IN_HOOK (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain VYATTA_POST_FW_FWD_HOOK (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain VYATTA_POST_FW_OUT_HOOK (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain FORWARD-ocserv-fw-sslvpn0 (1 references)
target prot opt source destination
ACCEPT all -- anywhere 10.0.95.42 /* ocserv-fw */
REJECT all -- anywhere anywhere /* ocserv-fw */ reject-with icmp-port-unreachable
```
In this example, when an openconnect client connects, despite the router not pushing the client other routes other than to `10.0.95.42/32` and `vyos-fw` adding iptables rules to reject traffic by default, the end user can route traffic to other routes through the VyOS router by manually adding routes.
Note that VyOS does not support configuring `restrict-user-to-routes` via the CLI and this has to be configured either by manually editing `ocserv.conf` or using per-group/per-user configuration such as in proposed PR https://github.com/vyos/vyos-1x/pull/1783
Steps to replicate (Verified on a fresh 1.3.2 VyOS instance):
# Configure OpenConnect Server as per https://docs.vyos.io/en/equuleus/configuration/vpn/openconnect.html#configuration and ensure you have a user you can connect with
# Add a single push route to OpenConnect server `set vpn openconnect network-settings push-route x.x.x.x/x`
# Commit and save changes
Steps to test with the OpenConnect client
# Connect to the VPN with the user setup in step 1
# Confirm you can route traffic through the route you setup to push in step 2 to confirm the VPN is working (I just pinged it)
# Manually add a route on your machine to another address that the VyOS router can access and then attempt to route traffic to it and you should have access to other routes despite the `ocserv-fw` firewall rules added
It would be great to get compatibility between VyOS and OpenConnect route restriction, particularly for the use case of per-user access control. I don't have a good understanding of iptables so I can't offer too much more apart from what I've outlined above. I'm happy to assist with providing more details on request
Thanks