OpenVPN client-to-client
Solution 1:
If client-to-client is enabled, the VPN server forwards client-to-client packets internally without sending them to the IP layer of the host (i.e. to the kernel). The host networking stack does not see those packets at all.
.-------------------.
| IP Layer |
'-------------------'
.-------------------.
| TUN device (tun0) |
'-------------------'
.-------------------.
| OpenVPN server |
'-------------------'
^ |
1 | | 2
| v
.----------------. .----------------.
| Client a | | Client b |
'----------------' '----------------'
If client-to-client is disabled, the packets from a client to another client go through the host IP layer (iptables, routing table, etc.) of the machine hosting the VPN server: if IP forwarding is enabled, the host might forward the packet (using its routing table) again to the TUN interface and the VPN daemon will forward the packet to the correct client inside the tunnel.
.-------------------.
| IP Layer | (4) routing, firewall, NAT, etc.
'-------------------' (iptables, nftables, conntrack, tc, etc.)
^ |
3 | | 5
| v
.-------------------.
| TUN device (tun0) |
'-------------------'
^ |
2 | | 6
| v
.-------------------.
| OpenVPN server |
'-------------------'
^ |
1 | | 7
| v
.----------------. .----------------.
| Client a | | Client b |
'----------------' '----------------'
In this case (client-to-client disabled), you can block the client-to-client packets using iptables:
iptables -A FORWARD -i tun0 -o tun0 -j DROP
where tun0 is your VPN interface.
Solution 2:
You need to do more than just commenting the directive as it says here:
Uncomment this directive to allow different clients to be able to "see" each other. By default, clients will only see the server. To force clients to only see the server, you will also need to appropriately firewall the server's TUN/TAP interface.
Therefore you may configure seperate IP address policy for each client. See the section Configuring client-specific rules and access policies here: https://openvpn.net/index.php/open-source/documentation/howto.html. and here: https://www.sbarjatiya.com/notes_wiki/index.php/Configuring_separate_IP_and_firewall_rule_for_each_openvpn_client.
Solution 3:
The next paragraph of the man page for openvpn answers this question, although it's not necessarily clear at first reading:
Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The
--client-to-clientflag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface.When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules.
The client-to-client option short-circuits the normal routing tables on the server. Removing it does not prevent the clients using the server's routing tables. If those routing tables - and the server's firewall configuration - permit clients to see each other then they will be able to do so.