Disallowing LAN access

[spammy]

I am using OpenVPN via Tomato Custom Router FW.

I wish to run two VPN servers, which this software allows (via ports). I have generated a separate set of ca's and server keys for each, with respective client keys for clients in the two sets of users who will connect to the relevant VPN server. Everything is working so far.

What I want is:

For VPN1 to redirect the client's internet BUT DISALLOW access to the LAN local to the VPN server.
For VPN2 to redirect the client's internet AND allow access to the LAN local to the VPN server.

Is this possible with OpenVPN, or do I have to configure something elsewhere on the router? Sample server config follows for VPN1, VPN2 has push "route 10.10.0.0 255.255.0.0" extra.

View OriginalServer Config

# Automatically generated configuration
daemon
server 10.8.0.0 255.255.255.0
proto udp
port 52918
dev tun21
cipher BF-CBC
comp-lzo yes
keepalive 15 60
verb 3
push "dhcp-option DOMAIN sample.com"
push "dhcp-option DNS 10.10.0.1"
push "redirect-gateway def1"
tls-auth static.key 0
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration
keepalive 50 120
user nobody
group nobodyroot

[TinCanTech]

Is this possible with OpenVPN, or do I have to configure something elsewhere on the router?

Redirecting the client gateway supersedes the route for your LAN so clients with only redirect-gateway will still have access to your LAN. You must use your firewall to prevent this.

[spammy]

Thanks for the tip. I did what I wanted by creating a custom firewall rule eg:

Code: Select all

iptables -I INPUT 1 -p all -s 0.0.0.0/0 -d network-addresses -i tun21 -j DROP