OpenVPN: Conf one VLAN (CCD's), but still can access others.

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Fri Jan 03, 2020 20:03    Post subject: OpenVPN: Conf one VLAN (CCD's), but still can access others. Reply with quote
Hi All,

Here's the scenario.

I'm using a laptop on my local network that has IP 192.168.0.123 / 24, GW 192.168.0.1 .

I've setup OpenVPN and can connect fine. I get another IP 10.1.1.2 for my laptop when using the VPN. All good so far. So now I have two IP's.

Now, in the CCD files, I only enabled routes for one VLAN:

push "route 10.30.0.0 255.255.255.0"

Yet when I'm on the VPN connection, I can access 10.0.0.100, which is one server on a totally different VLAN that I meant to block access too. Why? Why am I able to access that VLAN when based on the configuration, there's only a route for VLAN 5 ( 10.30.0.X )?

My VLAN's:

Code:

192.168.0.0 255.255.255.0 VLAN 1
10.0.0.0 255.255.255.0    VLAN 2
10.10.0.0 255.255.255.0    VLAN 3
10.20.0.0 255.255.255.0    VLAN 4
10.30.0.0 255.255.255.0    VLAN 5


My firewall specific rules include these:

Code:

# ----------------------
# VPN Specific
# ----------------------
iptables -A INPUT -p tcp --dport 11194 -j ACCEPT
iptables -A INPUT -p udp --dport 11194 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 11194 -j ACCEPT
iptables -A OUTPUT -p udp --dport 11194 -j ACCEPT

iptables -A INPUT -s 10.1.1.0/24 -d 192.168.0.0/24 -dport 443 -j ACCEPT
iptables -A OUTPUT -d 10.1.1.0/24 -s 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 1 -p tcp –-dport 11194 -j ACCEPT
iptables -I FORWARD 1 –-source 10.1.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE


Some specific configuration for that 10.0.0.0:

Code:

# -----------------------------------
# NAT Rules (from Gateway Config)
# Needed for web access. 
# -----------------------------------
iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to $(nvram get wan_ipaddr)

# ----------------------
# ICMP - 10.0.0.X
# ----------------------
iptables -A INPUT -p icmp --icmp-type any -s 10.0.0.0/24 -d 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type any -s 192.168.0.0/24 -d 10.0.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


Last rule for VLAN 2:

Code:

iptables -A INPUT -s 10.0.0.0/24 -j REJECT --reject-with icmp-port-unreachable



I've spent time reading online forums and posts about OpenVPN and DD-WRT, amongst others, so I've an idea that I will likely have to tweak the F/W rules to finalize the setup. However, what I don't understand is why I can still access 10.0.0.123, for example, with the VPN running? I can see that I have an IP of 10.1.1.2 on my laptop alongside my regular IP of 192.168.0.123 and I'm not sure if it's because of that I'm able to access other VLAN's, thereby bypassing any OpenVPN configuration. Perhaps I need to force all traffic through the VPN IP when a client is connected?

When I'm on the VPN and connect to that server, my source IP shows up as:

Code:

[tomk@host-10-0-0-1001 ~]$ who
tomk     pts/3        2020-01-03 12:17 (192.168.0.123)   # Connection source ip if NOT from VPN
tomk     pts/4        2020-01-03 15:11 (192.168.0.6)     # Connection source IP if on VPN ( 192.168.0.6 is my Asus Router running the OpenVPN Server. )
[tomk@host-10-0-0-100 ~]$



I am using OSPF as well on my routers / switches however I'm not sure if that plays a part (yet). I'm slowly suspecting it might since in the event a route can't be found for a specific VLAN that request could be forwarded to the Cisco switch from 192.168.0.6 -> 192.168.0.1 which would in turn route it to VLAN 2 ( 10.0.0.X ) and allow access. This would mean I have to setup access-lists on my Cisco, which I still plan to do, however, that doesn't make sense from one perspective since based on my understanding, the OpenVPN Server should be stopping that traffic. OpenVPN Server shouldn't forward anything it doesn't understand further up? ( Or perhaps I'm wrong about that last sentence? )

Cheers,
TK

OpenVPN.conf

Code:

dh /jffs/etc/openvpn/dh.pem
ca /jffs/etc/openvpn/ca.crt
cert /jffs/etc/openvpn/cert.pem
key /jffs/etc/openvpn/key.pem
tls-auth /jffs/etc/openvpn/ta.key 0
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 11194
proto tcp4-server
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /jffs/etc/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
push "redirect-gateway def1"
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
tcp-nodelay
tun-mtu 1500
mtu-disc yes
server 10.1.1.0 255.255.255.0
dev tun2
auth-nocache

_________________
Cheers, TK
------------------------
Sponsor
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Fri Jan 03, 2020 22:24    Post subject: Reply with quote
TCP dump is showing that there isn't any traffic going through the tun2 ( OpenVPN ) interface @ 10.1.1.1, when client is connected to the VPN server.

That is, despite having this:

push "redirect-gateway def1". Curious why? Smile

Cheers,
TK

_________________
Cheers, TK
------------------------
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Jan 04, 2020 15:39    Post subject: Reply with quote
Are you testing from inside your network?

Testing has to be done from outside i.e. with your phone via cellular as hotspot.

VLAN's are not automatically isolated from each other you have to isolated them with iptable rules

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Sat Jan 04, 2020 18:16    Post subject: Reply with quote
Yep, was testing this out using my phone as hotspot. Thought of that after posting initially. Same issue. I ensured to remove VLAN 1 IP's off my existing setup just to be sure I'm not using anything off of VLAN 1.

I'm setting up access-lists on the Cisco gear where the VLAN's are defined, in parallel, to isolate them and see if that helps.

Now, if you mean isolate them with F/W rules on the DD-WRT Asus router, I'm having difficulty envisioning how that might look like.

For example, once a VPN connection is established and CCD rules applied, what's stopping that client from opening up a direct connection using their PuTTY to VLAN 1 IP instead of their own designated VLAN 5 IP?

In other words, the only way I know blocking by client could occur is via the VPN software itself. I'm not sure how the F/W could detect said client and act on that specific connection.

I hope I'm making sense.

Cheers,
TK

_________________
Cheers, TK
------------------------
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Sun Jan 05, 2020 6:40    Post subject: Reply with quote
So I've added access-list filter rules to my Cisco routers. This worked to prevent VLAN 5 from accessing any other VLAN's.

But as I doubted, it did nothing to prevent an OpenVPN Client connecting with an IP from 10.1.1.0/24 (VPN subnet) from accessing VLAN 1, 2, 3, 4 as well as VLAN 5.

Reading a little further on this, I think I have my VPN iptable rules all wrong. They were grandfathered from my earlier OpenVPN setup which I think I need to revisit and rework.

https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/

Any new DD-WRT OpenVPN iptables examples for VLAN's I can begin off of is appreciated.

Cheers,
TK

_________________
Cheers, TK
------------------------
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Sun Jan 05, 2020 7:53    Post subject: Reply with quote
Investigated a bit further. The VPN traffic isn't going through my tun2 interface. When the OpenVPN connection is established with my router it goes to vlan2@eth0 interface:

Code:
5: vlan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1492 qdisc noqueue state UP qlen 1000
    link/ether 40:16:7e:a2:62:11 brd ff:ff:ff:ff:ff:ff
    inet 123.123.123.101/27 brd 123.123.123.102 scope global vlan2
       valid_lft forever preferred_lft forever


The connection is made with the VPN servers running on port 11194 on the above interface.

Now, my laptop has a VPN connection and my IP is 10.1.1.2 . Somehow when I initiate an ssh connection to any host on VLAN 1, the login source IP comes out as 192.168.0.6 ( VLAN 1 ), which is my Asus router's IP. It doesn't come from 10.1.1.2, my VPN IP.

This is why the connection is allowed.

Code:
8: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 40:16:7e:a2:62:12 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.6/24 brd 192.168.0.255 scope global br0
       valid_lft forever preferred_lft forever


This appears to indicate that packets are moved between vlan2@eth0 and br0 however tun2 (VPN interface) isn't at play. Hence why I can login to hosts I should not be when on my VPN. However I need to change that.

Why is traffic not going through tun2 in my setup?

Cheers,
TK

_________________
Cheers, TK
------------------------
tkmds
DD-WRT User


Joined: 04 Sep 2011
Posts: 161
Location: SA

PostPosted: Mon Jan 06, 2020 5:17    Post subject: Reply with quote
Figured this out. The solution was right in front of me.

All I had to do is to remove this line:

push "redirect-gateway def1"

or disable it via the GUI and the CCD restriction worked like it supposed to. The client could only access the defined VLAN, nothing more, which is exactly what I was looking for.

For restricting VLAN to VLAN access via Cisco gear, that I did with access-list definitions on my Cisco switches.

More on this is here: https://microdevsys.com/wp/cisco-ios-3750g-access-control-lists-deny-access-from-vlan-5-to-any-other-vlan/

Thx,

_________________
Cheers, TK
------------------------
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum