Posted: Fri Jan 03, 2020 20:03 Post subject: OpenVPN: Conf one VLAN (CCD's), but still can access others.
Hi All,
Here's the scenario.
I'm using a laptop on my local network that has IP 192.168.0.123 / 24, GW 192.168.0.1 .
I've setup OpenVPN and can connect fine. I get another IP 10.1.1.2 for my laptop when using the VPN. All good so far. So now I have two IP's.
Now, in the CCD files, I only enabled routes for one VLAN:
push "route 10.30.0.0 255.255.255.0"
Yet when I'm on the VPN connection, I can access 10.0.0.100, which is one server on a totally different VLAN that I meant to block access too. Why? Why am I able to access that VLAN when based on the configuration, there's only a route for VLAN 5 ( 10.30.0.X )?
# -----------------------------------
# NAT Rules (from Gateway Config)
# Needed for web access.
# -----------------------------------
iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to $(nvram get wan_ipaddr)
# ----------------------
# ICMP - 10.0.0.X
# ----------------------
iptables -A INPUT -p icmp --icmp-type any -s 10.0.0.0/24 -d 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type any -s 192.168.0.0/24 -d 10.0.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Last rule for VLAN 2:
Code:
iptables -A INPUT -s 10.0.0.0/24 -j REJECT --reject-with icmp-port-unreachable
I've spent time reading online forums and posts about OpenVPN and DD-WRT, amongst others, so I've an idea that I will likely have to tweak the F/W rules to finalize the setup. However, what I don't understand is why I can still access 10.0.0.123, for example, with the VPN running? I can see that I have an IP of 10.1.1.2 on my laptop alongside my regular IP of 192.168.0.123 and I'm not sure if it's because of that I'm able to access other VLAN's, thereby bypassing any OpenVPN configuration. Perhaps I need to force all traffic through the VPN IP when a client is connected?
When I'm on the VPN and connect to that server, my source IP shows up as:
Code:
[tomk@host-10-0-0-1001 ~]$ who
tomk pts/3 2020-01-03 12:17 (192.168.0.123) # Connection source ip if NOT from VPN
tomk pts/4 2020-01-03 15:11 (192.168.0.6) # Connection source IP if on VPN ( 192.168.0.6 is my Asus Router running the OpenVPN Server. )
[tomk@host-10-0-0-100 ~]$
I am using OSPF as well on my routers / switches however I'm not sure if that plays a part (yet). I'm slowly suspecting it might since in the event a route can't be found for a specific VLAN that request could be forwarded to the Cisco switch from 192.168.0.6 -> 192.168.0.1 which would in turn route it to VLAN 2 ( 10.0.0.X ) and allow access. This would mean I have to setup access-lists on my Cisco, which I still plan to do, however, that doesn't make sense from one perspective since based on my understanding, the OpenVPN Server should be stopping that traffic. OpenVPN Server shouldn't forward anything it doesn't understand further up? ( Or perhaps I'm wrong about that last sentence? )
Yep, was testing this out using my phone as hotspot. Thought of that after posting initially. Same issue. I ensured to remove VLAN 1 IP's off my existing setup just to be sure I'm not using anything off of VLAN 1.
I'm setting up access-lists on the Cisco gear where the VLAN's are defined, in parallel, to isolate them and see if that helps.
Now, if you mean isolate them with F/W rules on the DD-WRT Asus router, I'm having difficulty envisioning how that might look like.
For example, once a VPN connection is established and CCD rules applied, what's stopping that client from opening up a direct connection using their PuTTY to VLAN 1 IP instead of their own designated VLAN 5 IP?
In other words, the only way I know blocking by client could occur is via the VPN software itself. I'm not sure how the F/W could detect said client and act on that specific connection.
So I've added access-list filter rules to my Cisco routers. This worked to prevent VLAN 5 from accessing any other VLAN's.
But as I doubted, it did nothing to prevent an OpenVPN Client connecting with an IP from 10.1.1.0/24 (VPN subnet) from accessing VLAN 1, 2, 3, 4 as well as VLAN 5.
Reading a little further on this, I think I have my VPN iptable rules all wrong. They were grandfathered from my earlier OpenVPN setup which I think I need to revisit and rework.
Investigated a bit further. The VPN traffic isn't going through my tun2 interface. When the OpenVPN connection is established with my router it goes to vlan2@eth0 interface:
Code:
5: vlan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1492 qdisc noqueue state UP qlen 1000
link/ether 40:16:7e:a2:62:11 brd ff:ff:ff:ff:ff:ff
inet 123.123.123.101/27 brd 123.123.123.102 scope global vlan2
valid_lft forever preferred_lft forever
The connection is made with the VPN servers running on port 11194 on the above interface.
Now, my laptop has a VPN connection and my IP is 10.1.1.2 . Somehow when I initiate an ssh connection to any host on VLAN 1, the login source IP comes out as 192.168.0.6 ( VLAN 1 ), which is my Asus router's IP. It doesn't come from 10.1.1.2, my VPN IP.
This is why the connection is allowed.
Code:
8: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 40:16:7e:a2:62:12 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.6/24 brd 192.168.0.255 scope global br0
valid_lft forever preferred_lft forever
This appears to indicate that packets are moved between vlan2@eth0 and br0 however tun2 (VPN interface) isn't at play. Hence why I can login to hosts I should not be when on my VPN. However I need to change that.
Why is traffic not going through tun2 in my setup?
Figured this out. The solution was right in front of me.
All I had to do is to remove this line:
push "redirect-gateway def1"
or disable it via the GUI and the CCD restriction worked like it supposed to. The client could only access the defined VLAN, nothing more, which is exactly what I was looking for.
For restricting VLAN to VLAN access via Cisco gear, that I did with access-list definitions on my Cisco switches.