Filtering traffic between two client subnets on same tap VPN server



  • It appears that if I enable the client-to-client setting for my VPN server, and then the two clients add gateways pointing to each other's tap iface IP, and then add routes to each other's subnet via those gateways, AND then finally set up their rules correctly…

    Then there is nothing I can do on the server side to stop traffic from flowing between them.

    My supposition is that this is a result of it being Layer 2 traffic.

    Is there anything I can do about that?

    Also, what are some of the implications of this I may not be realizing?    I'm not sure, for instance, how I was not getting DHCP server conflicts between the client sites I had set up previously.  In any case I am now blocking 67-68 TCP on the ovpn interface.

    In some cases I do want to allow client subnets to reach each other., but that doesn't mean I want all traffic to pass or none.

    Other than using tun, is there a different setup that might allow me more control from the server side.


Log in to reply