Block access to wifi hospot LAN on client

docdockstader · Post by **docdockstader** » Sat May 28, 2011 5:22 pm

Hey all, I have successfully configured and connected an OpenVPN server and client. My goal of the connection is to be on my private network, instead of the public wifi hotspot network. After connecting, I am able to connect to all pc's and server's on my network, but I am also still able to access the local wifi network as well. For example, the wifi network's subnet is 10.59.20.0, and my private network subnet is 10.71.0.0; after connection, I can ping BOTH sides of the network. I can ping 10.59.20.1 (hotspot gateway) and 10.71.51.1 (private gateway). I can also ping other pc's on both networks when they are online.

I would really like to block all activity on the local wifi hotspot network (on a separate cisco vpn network I run, the cisco client software has an option to either allow or block local LAN access while connected). I don't have another pc with me to test, but I believe the current configuration would allow a person to access my private network through my connection on the wifi hotspot (assumming they have the know-how and I have routing enabled).

My server is using a bridged connection between my LAN and the OpenVPN TAP.

Server Config:
local 10.71.51.2
port 1194
proto udp
mssfix 1400
push "dhcp-option DNS 10.71.51.2"
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server-bridge 10.71.51.2 255.255.0.0 10.71.53.100 10.71.53.110
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 5
persist-key
persist-tun
status openvpn-status.log
verb 4

Client Config:
client
dev tap
proto udp
remote mydomain.com 1194 ## this has obviously been altered from my actual domain address ##
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 4

Routing table on client:
=====================================================================
Interface List
25...00 ff ae a5 78 e7 ......TAP-Win32 Adapter V9
11...f0 de f1 4b a1 03 ......Intel(R) 82577LM Gigabit Network Connection
10...18 3d a2 06 ea 7c ......Intel(R) Centrino(R) Advanced-N 6200 AGN
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
=====================================================================

IPv4 Route Table
=====================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.59.20.1 10.59.20.56 25
0.0.0.0 128.0.0.0 10.71.51.2 10.71.53.100 30
10.59.20.0 255.255.255.0 On-link 10.59.20.56 281
10.59.20.56 255.255.255.255 On-link 10.59.20.56 281
10.59.20.255 255.255.255.255 On-link 10.59.20.56 281
10.71.0.0 255.255.0.0 On-link 10.71.53.100 286
10.71.53.100 255.255.255.255 On-link 10.71.53.100 286
10.71.255.255 255.255.255.255 On-link 10.71.53.100 286
70.103.156.6 255.255.255.255 10.59.20.1 10.59.20.56 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 10.71.51.2 10.71.53.100 30
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.59.20.56 281
224.0.0.0 240.0.0.0 On-link 10.71.53.100 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.59.20.56 281
255.255.255.255 255.255.255.255 On-link 10.71.53.100 286
=====================================================================
Persistent Routes:
None

Post by **janjust** » Sat May 28, 2011 9:17 pm

The behaviour you're seeing is normal and mandatory:
you're using 'redirect-gateway def1' which will add a new default route to the system, so that all traffic is sent via the VPN. The traffic to the VPN server itself, however, must not go through this tunnel. In order to reach the VPN server your VPN client must know how to send packets to it outside of the tunnel. For this the Wifi hotspot GW is needed; traffi to all other hosts on the Wifi hotspot LAN _IS_ prohibited.

You could block traffic even further by allowing only UDP port 1194 traffic to be sent via the hotspot GW, but this adds very little extra security. Just use an inbound firewall rule to block out anything not coming from your openvpn server.

docdockstader · Post by **docdockstader** » Sat May 28, 2011 10:04 pm

Thank you for your reply. I wonder how Cisco does it....

Post by **janjust** » Sat May 28, 2011 10:25 pm

if you use a Cisco IPsec client then it works at an ever lower level than OpenVPN does ; this is one of the things that IPsec can do and which OpenVPN cannot do so easily
Also, OpenVPN does not block access, it is about providing access.

docdockstader · Post by **docdockstader** » Sun May 29, 2011 2:30 am

Thank you again for your response, it's nice to find a forum that actually works!

I do in fact use IPSec on the Cisco client. I personally was looking towards OpenVPN for secure access as much as I was looking for simple connectivity. Just connecting to a network is rather simple (with public IP's), securely connecting is a much bigger feat.

Thanks again!

OpenVPN Support Forum

Block access to wifi hospot LAN on client

Block access to wifi hospot LAN on client

Re: Block access to wifi hospot LAN on client

Re: Block access to wifi hospot LAN on client

Re: Block access to wifi hospot LAN on client

Re: Block access to wifi hospot LAN on client