Allow client to use my Internet but block LAN

blakezeros · Post by **blakezeros** » Tue Oct 27, 2015 2:31 pm

Hi,

I have setup OpenVPN on Ubuntu 14.04 server. The client connects without problems to the vpn server. I want the client use my internet as it were his internet but at the same time block the client to my home LAN. What is the best way to accomplish this?

Below is my Network info:
LAN: 192.168.1.0/24
OpenVPN Server IP: 192.168.1.139
Router/Switch: 192.168.1.2

OpenVPN network: 10.8.0.0/24

Below is my Server and Client configuration:

Server:

proto udp
dev tun
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 68.237.161.12"
push "dhcp-option DNS 71.250.0.12"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Client:

client
dev tun
proto udp
remote 98.113.188.12 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert andres.crt
key andres.key
remote-cert-tls server
comp-lzo
verb 3

Thank you,

Traffic · Post by **Traffic** » Thu Oct 29, 2015 1:55 pm

Your configs will not give your client access to your server LAN.

Also,

NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN

blakezeros · Post by **blakezeros** » Thu Oct 29, 2015 6:17 pm

Traffic wrote:Your configs will not give your client access to your server LAN.

Also,
NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN

Hi Traffic,

I forgot to mention that the client connects to the vpn server but once connected the client cannot access my LAN and Internet. So what I did was to enable packet forwarding

Code: Select all

sysctl -w net.ipv4.ip_forward=1

and this as well

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

The above give access to the LAN and Internet. I just want the client have access to the internet so when he search in google "What's my ip" it shows my public ip instead of his public ip.

Post by **maikcat** » Fri Oct 30, 2015 9:43 am

can you post the output of ifconfig on your openvpn server?

also what tracert 8.8.8.8 shows?

Michael.

Traffic · Post by **Traffic** » Fri Oct 30, 2015 11:28 am

blakezeros wrote:The above give access to the LAN and Internet

According to the config you have posted .. your client does not have access to your server LAN even with NAT enabled.

blakezeros · Post by **blakezeros** » Fri Oct 30, 2015 9:59 pm

maikcat wrote:can you post the output of ifconfig on your openvpn server?

also what tracert 8.8.8.8 shows?

Michael.

Hi Michael,

Here is the ifconfig info:

Code: Select all

eth0      Link encap:Ethernet  HWaddr 08:00:27:e0:62:f4
          inet addr:192.168.1.7  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fee0:62f4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1417 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1668 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:112335 (112.3 KB)  TX bytes:207063 (207.0 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Here is the traceroute info:

Code: Select all

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  192.168.1.2 (192.168.1.2)  0.957 ms  0.909 ms  1.566 ms
 2  lo0-100.NYCMNY-VFTTP-373.verizon-gni.net (98.113.188.1)  5.996 ms  5.996 ms  5.976 ms
 3  T1-10-0-9.NYCMNY-LCR-21.verizon-gni.net (100.41.135.220)  6.982 ms T1-10-0-8.NYCMNY-LCR-21.verizon-gni.net (100.41.216.64)  7.210 ms T1-10-0-9.NYCMNY-LCR-21.verizon-gni.net (100.41.135.220)  7.196 ms
 4  * * *
 5  0.ae12.XL3.NYC1.ALTER.NET (152.63.6.61)  6.904 ms 0.ae3.XL3.NYC1.ALTER.NET (140.222.226.31)  8.365 ms 0.ae4.XL4.NYC1.ALTER.NET (140.222.226.37)  8.360 ms
 6  0.xe-11-1-3.GW14.NYC1.ALTER.NET (152.63.25.186)  8.344 ms 0.xe-8-0-1.GW14.NYC1.ALTER.NET (152.63.4.149)  2.972 ms 0.xe-10-0-0.GW14.NYC1.ALTER.NET (152.63.18.118)  3.499 ms
 7  google-gw.customer.alter.net (204.148.18.30)  2.934 ms  3.708 ms  4.371 ms
 8  64.233.175.141 (64.233.175.141)  5.087 ms 64.233.175.107 (64.233.175.107)  5.832 ms 64.233.175.141 (64.233.175.141)  5.759 ms
 9  google-public-dns-a.google.com (8.8.8.8)  4.879 ms  5.634 ms  5.516 ms

blakezeros · Post by **blakezeros** » Fri Oct 30, 2015 10:03 pm

Traffic wrote:
blakezeros wrote:The above give access to the LAN and Internet
According to the config you have posted .. your client does not have access to your server LAN even with NAT enabled.

Hi Traffic,

When the client connects to the vpn server, the client can ping other machines including the router. There are no firewall rules except for the NAT rules. I assume the client have access to the LAN because it can ping other machines.

Traffic · Post by **Traffic** » Mon Nov 02, 2015 12:11 pm

Please post ifconfig of your client.

blakezeros · Post by **blakezeros** » Mon Nov 02, 2015 8:22 pm

Traffic wrote:Please post ifconfig of your client.

Hi Traffic,

Here is the client's ipconfig:

Code: Select all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DN-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : XX-XX-XX-XX-XX-XX 
   IPv4 Address. . . . . . . . . . . : 10.8.0.6(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Lease Obtained. . . . . . . . . . : Monday, November 2, 2015 3:16:03 PM
   Lease Expires . . . . . . . . . . : Tuesday, November 1, 2016 3:16:03 PM
   Default Gateway . . . . . . . . . : 
   DHCP Server . . . . . . . . . . . : 10.8.0.5
   DHCPv6 IAID . . . . . . . . . . . : 151060293
   DHCPv6 Client DUID. . . . . . . . : XX-XX-XX-XX-XX-XX
   DNS Servers . . . . . . . . . . . : 68.237.161.12
                                       71.250.0.12
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : XX-XX-XX-XX-XX-XX 
   IPv4 Address. . . . . . . . . . . : 192.168.254.102(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, October 27, 2015 2:22:57 PM
   Lease Expires . . . . . . . . . . : Monday, November 2, 2015 4:23:42 PM
   Default Gateway . . . . . . . . . : 192.168.254.1
   DHCP Server . . . . . . . . . . . : 192.168.254.1
   DHCPv6 IAID . . . . . . . . . . . : 251665404
   DHCPv6 Client DUID. . . . . . . . : XX-XX-XX-XX-XX-XX
   DNS Servers . . . . . . . . . . . : 167.206.112.138
                                       167.206.7.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{0E352305-6661-4430-B864-F99D618D77C4}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:859:a42:f5f7:fff9(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::859:a42:f5f7:fff9%4(Preferred) 
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 117440512
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-47-8A-4B-00-1B-FC-80-9D-69
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{456E0EE9-BA0B-4775-82DB-C211C59A47D7}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Traffic · Post by **Traffic** » Tue Nov 03, 2015 4:08 am

What is your client route table with OpenVPN running ?

blakezeros wrote:When the client connects to the vpn server, the client can ping other machines including the router

Exactly what address can your client ping ?

blakezeros · Post by **blakezeros** » Wed Nov 04, 2015 4:31 pm

Traffic wrote:What is your client route table with OpenVPN running ?

blakezeros wrote:When the client connects to the vpn server, the client can ping other machines including the router
Exactly what address can your client ping ?

It can ping computers in the LAN 192.168.1.0 and also ping google.com and others.

Thank you,

Traffic · Post by **Traffic** » Wed Nov 04, 2015 8:33 pm

In order to block access to your server side LAN from your VPN clients
you must reject packets to your server subnet from your VPN subnet
using iptables.

Something like [1]:

Code: Select all

iptables -A PREROUTING -s 10.8.0.0/24 -d 192.168.1.0/24 -j REJECT

[1] there may be better solutions.

Post by **maikcat** » Thu Nov 05, 2015 7:36 am

Traffic wrote:In order to block access to your server side LAN from your VPN clients
you must reject packets to your server subnet from your VPN subnet
using iptables.

Something like [1]:
Code: Select all
iptables -A PREROUTING -s 10.8.0.0/24 -d 192.168.1.0/24 -j REJECT
[1] there may be better solutions.

i suggest you use filter table and forward chain...

Michael.

OpenVPN Support Forum

Allow client to use my Internet but block LAN

Allow client to use my Internet but block LAN

Re: Allow client to use my Internet but block LAN

Re: Allow client to use my Internet but block LAN

Re: Allow client to use my Internet but block LAN

Re: Allow client to use my Internet but block LAN

Re: Allow client to use my Internet but block LAN

Re: Allow client to use my Internet but block LAN

Re: Allow client to use my Internet but block LAN

Re: Allow client to use my Internet but block LAN

Re: Allow client to use my Internet but block LAN

Re: Allow client to use my Internet but block LAN

Re: Allow client to use my Internet but block LAN

Re: Allow client to use my Internet but block LAN