I want to run OpenVPN on a Debian machine running as a service -- the full /etc/init.d/ and /etc/openvpn configuration, so that the VPN comes up when the machine boots, and without caring whether a particular user is logged in.
But I want to restrict use of the VPN to users in a certain group. (or perhaps prevent users in a certain group from using the VPN.)
I do not think iptables' user tag does what I would like, since OpenVPN does not run as the user so iptables can't tell who owns the packets. And that would not work at all for an SSH session back down the VPN tunnel, where I want to log in as a preferred user, but prevent logging in as another user.
Hmm. I've been away too long and my brain is full of cobwebs.
But I want to restrict use of the VPN to users in a certain group. (or perhaps prevent users in a certain group from using the VPN.)
I do not think iptables' user tag does what I would like, since OpenVPN does not run as the user so iptables can't tell who owns the packets. And that would not work at all for an SSH session back down the VPN tunnel, where I want to log in as a preferred user, but prevent logging in as another user.
Hmm. I've been away too long and my brain is full of cobwebs.
