Page 1 of 1
Allow client to use my Internet but block LAN
Posted: Tue Oct 27, 2015 2:31 pm
by blakezeros
Hi,
I have setup OpenVPN on Ubuntu 14.04 server. The client connects without problems to the vpn server. I want the client use my internet as it were his internet but at the same time block the client to my home LAN. What is the best way to accomplish this?
Below is my Network info:
LAN: 192.168.1.0/24
OpenVPN Server IP: 192.168.1.139
Router/Switch: 192.168.1.2
OpenVPN network: 10.8.0.0/24
Below is my Server and Client configuration:
Server:
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 68.237.161.12"
push "dhcp-option DNS 71.250.0.12"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Client:
client
dev tun
proto udp
remote 98.113.188.12 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert andres.crt
key andres.key
remote-cert-tls server
comp-lzo
verb 3
Thank you,
Re: Allow client to use my Internet but block LAN
Posted: Thu Oct 29, 2015 1:55 pm
by Traffic
Your configs will
not give your client access to your server LAN.
Also,
- NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN
Re: Allow client to use my Internet but block LAN
Posted: Thu Oct 29, 2015 6:17 pm
by blakezeros
Traffic wrote:Your configs will
not give your client access to your server LAN.
Also,
- NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN
Hi Traffic,
I forgot to mention that the client connects to the vpn server but once connected the client cannot access my LAN and Internet. So what I did was to enable packet forwarding
and this as well
Code: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
The above give access to the LAN and Internet. I just want the client have access to the internet so when he search in google "What's my ip" it shows my public ip instead of his public ip.
Re: Allow client to use my Internet but block LAN
Posted: Fri Oct 30, 2015 9:43 am
by maikcat
can you post the output of ifconfig on your openvpn server?
also what tracert 8.8.8.8 shows?
Michael.
Re: Allow client to use my Internet but block LAN
Posted: Fri Oct 30, 2015 11:28 am
by Traffic
blakezeros wrote:The above give access to the LAN and Internet
According to the config
you have posted .. your client does
not have access to your server LAN even with NAT enabled.
Re: Allow client to use my Internet but block LAN
Posted: Fri Oct 30, 2015 9:59 pm
by blakezeros
maikcat wrote:can you post the output of ifconfig on your openvpn server?
also what tracert 8.8.8.8 shows?
Michael.
Hi Michael,
Here is the ifconfig info:
Code: Select all
eth0 Link encap:Ethernet HWaddr 08:00:27:e0:62:f4
inet addr:192.168.1.7 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fee0:62f4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1417 errors:0 dropped:0 overruns:0 frame:0
TX packets:1668 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:112335 (112.3 KB) TX bytes:207063 (207.0 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Here is the traceroute info:
Code: Select all
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.1.2 (192.168.1.2) 0.957 ms 0.909 ms 1.566 ms
2 lo0-100.NYCMNY-VFTTP-373.verizon-gni.net (98.113.188.1) 5.996 ms 5.996 ms 5.976 ms
3 T1-10-0-9.NYCMNY-LCR-21.verizon-gni.net (100.41.135.220) 6.982 ms T1-10-0-8.NYCMNY-LCR-21.verizon-gni.net (100.41.216.64) 7.210 ms T1-10-0-9.NYCMNY-LCR-21.verizon-gni.net (100.41.135.220) 7.196 ms
4 * * *
5 0.ae12.XL3.NYC1.ALTER.NET (152.63.6.61) 6.904 ms 0.ae3.XL3.NYC1.ALTER.NET (140.222.226.31) 8.365 ms 0.ae4.XL4.NYC1.ALTER.NET (140.222.226.37) 8.360 ms
6 0.xe-11-1-3.GW14.NYC1.ALTER.NET (152.63.25.186) 8.344 ms 0.xe-8-0-1.GW14.NYC1.ALTER.NET (152.63.4.149) 2.972 ms 0.xe-10-0-0.GW14.NYC1.ALTER.NET (152.63.18.118) 3.499 ms
7 google-gw.customer.alter.net (204.148.18.30) 2.934 ms 3.708 ms 4.371 ms
8 64.233.175.141 (64.233.175.141) 5.087 ms 64.233.175.107 (64.233.175.107) 5.832 ms 64.233.175.141 (64.233.175.141) 5.759 ms
9 google-public-dns-a.google.com (8.8.8.8) 4.879 ms 5.634 ms 5.516 ms
Re: Allow client to use my Internet but block LAN
Posted: Fri Oct 30, 2015 10:03 pm
by blakezeros
Traffic wrote:blakezeros wrote:The above give access to the LAN and Internet
According to the config
you have posted .. your client does
not have access to your server LAN even with NAT enabled.
Hi Traffic,
When the client connects to the vpn server, the client can ping other machines including the router. There are no firewall rules except for the NAT rules. I assume the client have access to the LAN because it can ping other machines.
Re: Allow client to use my Internet but block LAN
Posted: Mon Nov 02, 2015 12:11 pm
by Traffic
Please post ifconfig of your client.
Re: Allow client to use my Internet but block LAN
Posted: Mon Nov 02, 2015 8:22 pm
by blakezeros
Traffic wrote:Please post ifconfig of your client.
Hi Traffic,
Here is the client's ipconfig:
Code: Select all
Windows IP Configuration
Host Name . . . . . . . . . . . . : DN-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : XX-XX-XX-XX-XX-XX
IPv4 Address. . . . . . . . . . . : 10.8.0.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Lease Obtained. . . . . . . . . . : Monday, November 2, 2015 3:16:03 PM
Lease Expires . . . . . . . . . . : Tuesday, November 1, 2016 3:16:03 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.8.0.5
DHCPv6 IAID . . . . . . . . . . . : 151060293
DHCPv6 Client DUID. . . . . . . . : XX-XX-XX-XX-XX-XX
DNS Servers . . . . . . . . . . . : 68.237.161.12
71.250.0.12
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : XX-XX-XX-XX-XX-XX
IPv4 Address. . . . . . . . . . . : 192.168.254.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, October 27, 2015 2:22:57 PM
Lease Expires . . . . . . . . . . : Monday, November 2, 2015 4:23:42 PM
Default Gateway . . . . . . . . . : 192.168.254.1
DHCP Server . . . . . . . . . . . : 192.168.254.1
DHCPv6 IAID . . . . . . . . . . . : 251665404
DHCPv6 Client DUID. . . . . . . . : XX-XX-XX-XX-XX-XX
DNS Servers . . . . . . . . . . . : 167.206.112.138
167.206.7.4
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{0E352305-6661-4430-B864-F99D618D77C4}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:859:a42:f5f7:fff9(Preferred)
Link-local IPv6 Address . . . . . : fe80::859:a42:f5f7:fff9%4(Preferred)
Default Gateway . . . . . . . . . : ::
DHCPv6 IAID . . . . . . . . . . . : 117440512
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-47-8A-4B-00-1B-FC-80-9D-69
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.{456E0EE9-BA0B-4775-82DB-C211C59A47D7}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Re: Allow client to use my Internet but block LAN
Posted: Tue Nov 03, 2015 4:08 am
by Traffic
What is your client route table with OpenVPN running ?
blakezeros wrote:When the client connects to the vpn server, the client can ping other machines including the router
Exactly what address can your client ping ?
Re: Allow client to use my Internet but block LAN
Posted: Wed Nov 04, 2015 4:31 pm
by blakezeros
Traffic wrote:What is your client route table with OpenVPN running ?
blakezeros wrote:When the client connects to the vpn server, the client can ping other machines including the router
Exactly what address can your client ping ?
It can ping computers in the LAN 192.168.1.0 and also ping google.com and others.
Thank you,
Re: Allow client to use my Internet but block LAN
Posted: Wed Nov 04, 2015 8:33 pm
by Traffic
In order to block access to your
server side LAN from your
VPN clients
you must
reject packets to your server subnet from your VPN subnet
using
iptables.
Something like [1]:
Code: Select all
iptables -A PREROUTING -s 10.8.0.0/24 -d 192.168.1.0/24 -j REJECT
[1] there may be better solutions.
Re: Allow client to use my Internet but block LAN
Posted: Thu Nov 05, 2015 7:36 am
by maikcat
Traffic wrote:In order to block access to your
server side LAN from your
VPN clients
you must
reject packets to your server subnet from your VPN subnet
using
iptables.
Something like [1]:
Code: Select all
iptables -A PREROUTING -s 10.8.0.0/24 -d 192.168.1.0/24 -j REJECT
[1] there may be better solutions.
i suggest you use filter table and forward chain...
Michael.