Disallowing LAN access

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
spammy
OpenVpn Newbie
Posts: 2
Joined: Fri Nov 09, 2018 1:48 pm

Disallowing LAN access

Post by spammy » Fri Nov 09, 2018 1:56 pm

I am using OpenVPN via Tomato Custom Router FW.

I wish to run two VPN servers, which this software allows (via ports). I have generated a separate set of ca's and server keys for each, with respective client keys for clients in the two sets of users who will connect to the relevant VPN server. Everything is working so far.

What I want is:

For VPN1 to redirect the client's internet BUT DISALLOW access to the LAN local to the VPN server.
For VPN2 to redirect the client's internet AND allow access to the LAN local to the VPN server.

Is this possible with OpenVPN, or do I have to configure something elsewhere on the router? Sample server config follows for VPN1, VPN2 has push "route 10.10.0.0 255.255.0.0" extra.


Server Config

# Automatically generated configuration
daemon
server 10.8.0.0 255.255.255.0
proto udp
port 52918
dev tun21
cipher BF-CBC
comp-lzo yes
keepalive 15 60
verb 3
push "dhcp-option DOMAIN sample.com"
push "dhcp-option DNS 10.10.0.1"
push "redirect-gateway def1"
tls-auth static.key 0
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration
keepalive 50 120
user nobody
group nobodyroot

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5021
Joined: Fri Jun 03, 2016 1:17 pm

Re: Disallowing LAN access

Post by TinCanTech » Fri Nov 09, 2018 2:08 pm

spammy wrote:
Fri Nov 09, 2018 1:56 pm
Is this possible with OpenVPN, or do I have to configure something elsewhere on the router?
Redirecting the client gateway supersedes the route for your LAN so clients with only redirect-gateway will still have access to your LAN. You must use your firewall to prevent this.

spammy
OpenVpn Newbie
Posts: 2
Joined: Fri Nov 09, 2018 1:48 pm

Re: Disallowing LAN access

Post by spammy » Sat Nov 10, 2018 9:30 pm

Thanks for the tip. I did what I wanted by creating a custom firewall rule eg:

Code: Select all

iptables -I INPUT 1 -p all -s 0.0.0.0/0 -d network-addresses -i tun21 -j DROP

Post Reply