On Sun, 2014-12-14 at 20:07 +0100, Per Jessen wrote:
Andrei Borzenkov wrote:
В Sun, 14 Dec 2014 19:52:12 +0100 Per Jessen
пишет: Stanislav Baiduzhyi wrote:
Using openvpn service, what is the best way to block all traffic other than VPN?
Change default route, then redirect/reject everything that doesn't take the default route.
Including VPN traffic itself ... :)
Hehe, yup, let port 1194 traffic go :-)
Unless you use http-encapsulation of your openvpn-tunnel, in which case you just need to allow 443. The gateware-redirection can be push from the vpn-server to the vpn-client. However, there is a catch-22: In case your client uses dhcp for obtaining its IP-address and other parameters, you will be in for a surprise. If the lease-renewal occurs while tunnel is up AND you blocked 67/68 you will be out of an address and all traffic will drop. If you do allow renewal, you will notice that gateway definition from the vpn will be overwritten by dhcp. Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org