Hello @zach ,
I’m trying to block the inter-peer(peers on same host) traffic using extra iptables rules on these chain levels - input,forward,output but without any luck.
I was able to block cross-host traffic using FORWARD chain but didn’t have any luck when peers are connected to same host.
Could you explain how this inter-peer traffic is happening when the configuration in question are in place?
Thank you!
I don’t believe it is possible to control that traffic. When the Inter-Client Routing option is disabled in the server settings that removes the client-to-client option from the OpenVPN configuration. But the server virtual network is included in the pushed routes which is needed to support network configurations like replicated servers or non-NAT configuration. By including the virtual server network in the pushed routes it will always allow the client to client traffic.
Would it be possible to add a configuration option in future versions to force all traffic through the kernel networking stack? This would make standard Linux security tools work consistently regardless of peer location.