Block client-to-client traffic. Fixed #166

algo

@@ -61,6 +61,12 @@ Do you want to enable VPN for Windows 10 clients? (Will use insecure algorithms
 Win10_Enabled=${Win10_Enabled:-n}
 if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi
 
+read -p "
+Do you want to block client-to-client traffic?
+[y/N]: " -r BetweenClients_DROP
+BetweenClients_DROP=${BetweenClients_DROP:-n}
+if [[ "$BetweenClients_DROP" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" BetweenClients_DROP=Y"; fi
+
 }
 
 deploy () {

roles/vpn/templates/rules.v4.j2

@@ -21,6 +21,9 @@ COMMIT
 # particular virtual (tun,tap,...) or physical (ethernet) interface.
 -A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT
 -A INPUT -d {{ local_service_ip }} -p tcp -m multiport --dport 8080,8118 -j ACCEPT
+{% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %}
+-A FORWARD -s {{ vpn_network }} -d {{ vpn_network }} -j DROP
+{% endif %}
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -p tcp --dport 445 -j DROP
 -A FORWARD -p udp -m multiport --ports 137,138 -j DROP

roles/vpn/templates/rules.v6.j2

@@ -26,6 +26,9 @@ COMMIT
 # DUMMY interfaces are the proper way to install IPs without assigning them any
 # particular virtual (tun,tap,...) or physical (ethernet) interface.
 -A INPUT -d fcaa::1 -p udp --dport 53 -j ACCEPT
+{% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %}
+-A FORWARD -s {{ vpn_network_ipv6 }} -d {{ vpn_network_ipv6 }} -j DROP
+{% endif %}
 -A FORWARD -j ICMPV6-CHECK
 -A FORWARD -p tcp --dport 445 -j DROP
 -A FORWARD -p udp -m multiport --ports 137,138 -j DROP