Page 1 of 1

OpenVPN reads CCD files however routes traffic via server's local IP by passing restrictions.

Posted: Sun Jan 05, 2020 6:09 pm
by MrOpenVPN
Hey All,

I've set up my OpenVPN on my DD-WRT Asus router. My OpenVPN network is / ( tun2 ). I can connect to my VPN Server remotely by tethering my laptop to my mobile phone ( On my Wireless Provider's Network ) then connecting over to my external ISP IP on which my OpenVPN server is residing on. I see the CCD files get applied to my User, as they should, restricting me to a specific VLAN ( 10.30.0.X ). My CCD config is:

CCD File:

Code: Select all

push "route"
Now the router where my OpenVPN resides also has a local IP address from the local subnet that is my local network and an external one for my ISP. This local VLAN IP is on br0: . My external ISP IP is on vlan2@eth0 : .

Connecting to devices on 10.30.0.X, works fine, which is expected. But I can also connect to devices on my local network which is on 192.168.0.X . I should not be able too. When I check where I logged in from on the target machine, the IP listed is, which is the OpenVPN Server local IP, NOT my VPN IP . Because of this, restricting traffic via F/W rules doesn't work against .

Appears when I initiate an SSH connection from my laptop to a local machine on 192.168.0.X, for example, the OpenVPN server forwards those packets from tun2 over to br0 from which it then initiates a connection to the target machine. Since the connection appears to be routed through br0, which is on, the connection to other machines on the local subnet of course works.

This Asus router is also running OSPF for automatic routing. ( This is a routing protocol that establishes routes automatically. )

Including a visual of the setup.


How do I prevent this and restrict connections for the said client only to 10.30.0.X as per the CCD file definition?


OpenVPN Server

dh /openvpn/dh.pem
ca /openvpn/ca.crt
cert /openvpn/cert.pem
key /openvpn/key.pem
tls-auth /openvpn/ta.key 0
keepalive 10 120
verb 3
mute 3
writepid /var/run/
management 14
management-log-cache 100
topology subnet
script-security 2
port 11194
proto tcp4-server
cipher aes-256-cbc
auth sha256
client-connect /openvpn/
client-disconnect /openvpn/
client-config-dir /openvpn/ccd
comp-lzo adaptive
ifconfig-pool-persist /openvpn/ip-pool 86400
push "redirect-gateway def1"
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
tun-mtu 1500
mtu-disc yes
dev tun2

OpenVPN Client

dev tun2
proto tcp
remote 11194
resolv-retry infinite
ca ca.crt
cert UserGuest.crt
key UserGuest.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
verb 3


Code: Select all

push "route"


Code: Select all

# ----------------------
# VPN Specific
# ----------------------
# Allow remote connections to the OpenVPN server.
iptables -A INPUT -p tcp --dport 11194-d -j ACCEPT
iptables -A INPUT -p udp --dport 11194 -d -j ACCEPT

# For Web Traffic to the VLAN's.
iptables -t nat -A POSTROUTING -s -j MASQUERADE

# This has no apparent effect.
iptables -A INPUT -s -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -s -j REJECT --reject-with icmp-port-unreachable

Re: OpenVPN reads CCD files however routes traffic via server's local IP by passing restrictions.

Posted: Mon Jan 06, 2020 5:09 am
by MrOpenVPN
The solution turned out to be simple. All I needed to do is to remove this line or disable it from the OpenVPN Server configuration:

push "redirect-gateway def1"