Posted: Thu Aug 11, 2022 9:09 Post subject: OpenVPN Server allow client to reach only one bridge
Hi there,
since I update my build to a most recent, I reconfigured the OpnVPN server and I also create new certificates.
In my previous configuration, the VPN client are allowed to access only to bridge 1 (br1 - 192.168.10.0/24) that is my IoT network. My private network (br0 - 192.168.2.0/24) are isolated from VPN.
If I try to ping a PC on br0, the ping works.
I compare my previous OpenVPN configuration with the new one and the only difference is this "Additional configuration"
Code:
push "redirect-gateway def1"
but honestly I don't remember what is its pourpose.
How can I block the access from VPN client to br0?
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Thu Aug 11, 2022 12:05 Post subject:
Are you saying you added that manually to the Additional Config?
The first question is are you using your OpenVPN client (e.g. your phone) only to view your IoT subnet or are you also wanting to use it to surf the internet via your home?
Second question, is only routing from the first question enough or are you having OpenVPN clients you do not trust and want to actively block those untrusted OpenVPN clients from reaching parts of your home net, in that case you have to use firewall rules to block.
To give you a head start below a quote from the OpenVPN server setup guide about the "Push Client route" setting.
Push Client route Default Gateway
This will push "redirect-gateway def1" to all clients, meaning that all traffic from the clients is redirected to your Server.
Servers Subnet can be used if you only want to reach your home network and not direct other traffic via the Server, this will only push a route to the Servers subnet.
None will not push any route, you can manually push a route e.g. to another of your Servers subnet by adding in the Additional config: push "route <mysubnet/mynetmask> vpn_gateway" _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Last edited by egc on Thu Aug 11, 2022 14:23; edited 1 time in total
By default, the router does NOT block anything coming in from the OpenVPN server's network interface (tun2).
Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * vlan2 0.0.0.0/0 10.0.0.0/8 state NEW
0 0 DROP all -- * vlan2 0.0.0.0/0 172.16.0.0/12 state NEW
0 0 DROP all -- * vlan2 0.0.0.0/0 192.168.0.0/16 state NEW
0 0 ACCEPT all -- vlan2 * 192.168.61.0/24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- tun2 * 0.0.0.0/0 0.0.0.0/0
...
If you want/need such blocking/filtering, you'll need to add appropriate firewall rules.
Code:
# deny access to all but IoT network on br1 (192.168.2.0/24)
iptables -I FORWARD -i tun2 ! -d 192.168.2.0/24 -j REJECT
or
Code:
# deny access to all but IoT network on br1 (192.168.2.0/24)
iptables -I FORWARD -i tun2 ! -o br1 -j REJECT
Are you saying you added that manually to the Additional Config?
The first question is are you using your OpenVPN client (e.g. your phone) only to view your IoT subnet or are you also wanting to use it to surf the internet via your home?
Second question, is only routing from the first question enough or are you having OpenVPN clients you do not trust and want to actively block those untrusted OpenVPN clients from reaching parts of your home net, in that case you have to use firewall rules to block.
To give you a head start below a quote from the OpenVPN server setup guide about the "Push Client route" setting.
Push Client route Default Gateway
This will push "redirect-gateway def1" to all clients, meaning that all traffic from the clients is redirected to your Server.
Servers Subnet can be used if you only want to reach your home network and not direct other traffic via the Server, this will only push a route to the Servers subnet.
None will not push any route, you can manually push a route e.g. to another of your Servers subnet by adding in the Additional config: push "route <mysubnet/mynetmask> vpn_gateway"
Hi ecg,
thanks you for your detailed reply.
I use the OpenVPN client on my laptop and also on my Android phone.
I'm the only one person who use the VPN but from years I always use the separation.
And yes also my OpenVPN client use the VPN to surf in internet.
Currently I set "Push Client Route" to Seerver bacause I think to find a place where I can specify the subnet.
What is intended for Server?
I thin I should set it to "None" and add the routes maunally. Is this the best practice?
By default, the router does NOT block anything coming in from the OpenVPN server's network interface (tun2).
Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * vlan2 0.0.0.0/0 10.0.0.0/8 state NEW
0 0 DROP all -- * vlan2 0.0.0.0/0 172.16.0.0/12 state NEW
0 0 DROP all -- * vlan2 0.0.0.0/0 192.168.0.0/16 state NEW
0 0 ACCEPT all -- vlan2 * 192.168.61.0/24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- tun2 * 0.0.0.0/0 0.0.0.0/0
...
If you want/need such blocking/filtering, you'll need to add appropriate firewall rules.
Code:
# deny access to all but IoT network on br1 (192.168.2.0/24)
iptables -I FORWARD -i tun2 ! -d 192.168.2.0/24 -j REJECT
or
Code:
# deny access to all but IoT network on br1 (192.168.2.0/24)
iptables -I FORWARD -i tun2 ! -o br1 -j REJECT
Note, whether you use the redirect-gateway directive (either directly or implicitly via the GUI options as described by @egc), or do or don't push specific routes, that in and of itself does NOT prevent access. That simply determines what is made KNOWN to the client explicitly. Without firewall rules, a remote OpenVPN client could just assume they have access and make the attempt, and it would succeed.
Hi eibgrad,
good point!
To increase security a dfirewall rule must be addes.
In that case, I could use both "Push Client Route" (setting it to none and add manually the route) and firewall rule. Am I right?
Initially I use the ping to check if trough the VPN I can access the br0 (192.168.2.1) and the ping works.
But I noticed the in fact I cannot access the resource on the other brige, for example a NAS.
I made this other tests:
* Using only the additional commands push "route 192.168.10.0 255.255.255.0 vpn_gateway" with Push Client Route set to "Server Subnet", I can reach everythin on br0 (192.168.2.0/24).
* Using the firewall rule iptables -I FORWARD -i tun2 ! -o br0 -j REJECT, I can ping device on br0 but when I try to (for example) open the webpage of the NAS, it is rejected.
* I also noticed that if I use the push route ""route 192.168.10.0/24 255.255.255.0 vpn_gateway"" using the notation /24 and I set the firewall rule, I cannot reach the device on 192.168.10.0.
* I also can reach my NAS via explorer usign its address on 192.168.2.25.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Fri Aug 12, 2022 10:20 Post subject:
I am a bit confused, I wanted to establish two things hence my two questions.
The first one is which routes are necessary, I asked if you wanted to use the VPN for internet access, you said yes in that case just push the default route, meaning all traffic will go over the VPN also internet traffic (and of course also traffic to 192.168.x.x)
So no need to push any other route
BTW the right way to push a route is:
push "route 192.168.10.0 255.255.255.0 vpn_gateway"
(the vpn_gateway is default and can be omitted)
Second do you need to shield the rest of your network, if it is only you using I would not bother, of course you can and then the rules of @eibgrad will shield the rest of your network (also your NAS probably as I would not assume you have your NAS on your untrusted ioT network)
I am a bit confused, I wanted to establish two things hence my two questions.
The first one is which routes are necessary, I asked if you wanted to use the VPN for internet access, you said yes in that case just push the default route, meaning all traffic will go over the VPN also internet traffic (and of course also traffic to 192.168.x.x)
So no need to push any other route
BTW the right way to push a route is:
push "route 192.168.10.0 255.255.255.0 vpn_gateway"
(the vpn_gateway is default and can be omitted)
Second do you need to shield the rest of your network, if it is only you using I would not bother, of course you can and then the rules of @eibgrad will shield the rest of your network (also your NAS probably as I would not assume you have your NAS on your untrusted ioT network)
As always testing has to be done from outside so with your phone on cellular
Hi ecg,
sorry I made a little confusion.
I always test the VPN using my laptop and the thetering from my phone (disabling the wifi becaus I saw that the phone remains connected to the Homw WiFi).
You are right about the fact that I want my VPN client to access internet from the WAN.
And also I want to give access to br1 (192.168.10.0/24) to my VPN client.
I fixex the Push route as you told me (push "route 192.168.10.0 255.255.255.0 vpn_gateway").
So to allow VPN client to reach internet from the WAN, Should I set "Push Client Route2 to "Default Gateway"?
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Sat Aug 13, 2022 10:01 Post subject:
The question is how do you want to reach the internet from your VPN client.
Do you want to reach the internet via your home so via the VPN then push default route.
Do you want to reach the internet via the WAN of your VPN client so not via the VPN to your home and only want to reach your br1 then choose in the GUI "None" and manually push the route by adding in the OpenVPN servers Additional config:
push "route 192.168.10.0 255.255.255.0 vpn_gateway" _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
I made the other test (Push Default Route + Additional config) and unfortunately the VPN client cannot access to internet. I can reach the br1 network (br0 is blocked) but no internet for the client.
I also use a PiHole as DHCP for br0 and VPN Client using the command:
Code:
interface=tun2
in the Dnsmasq Infrastructure.
Is it possible that the firewall rule block internet access?
