[uvz123a]

DD-WRT v3.0-r52369 std (c) 2023 NewMedia-NET GmbH
Release: 04/20/23
Board: Linksys WRT3200ACM

I have two VPN subnets configured as server:
* first with internet access (Kill Switch=Disabled, Allow Clients WAN Access=Enabled)
* the second without internet (Kill Switch=Enabled, Allow Clients WAN Access=Disabled)

I have noticed that on oet2 with Kill Switch=Enabled also blocks WAN traffic on oet1 with Kill Switch=Disabled. If I want the internet access on oet1, than Kill Switch in oet2 must be Disabled.

Is this normal behavior?
I have read the manual but I couldn't figure out the difference between Kill Switch and Allow Clients WAN Access. Could somebody explain this to me?
Thanks.

[egc]

[Alozaros]

lol this thread feels like dejavoo, as i read it couple of hours ago...and rubbed my eye's and read it again and again it was different...anyway just to ask if the Wireguard and OpenVPN kill switches are made by the same guy...

if im not wrong eibgrad made one for the VPN back in the days...and i was just using a single line for quite long time instead (egc way) assumed br0 is your default bridge..

iptables -I FORWARD -i br0 -o $(get_wanface) -m state --state NEW -j REJECT --reject-with icmp-host-prohibited

could be tailored like that to be less specific..but..not ideal

iptables -I FORWARD -o $(get_wanface) -m state --state NEW -j REJECT --reject-with icmp-host-prohibited

and there ware lot of other examples..but when it went to PBR, than GUI killswitch was introduced..

but the old way was like that

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
for i in br0 ath1.1 br1; do
iptables -I FORWARD -i $i -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i $i -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i $i -p udp -o $WAN_IF -j REJECT
done

and you can adjust it towards your needs...

[uvz123a]

Thanks for reply.

I want to isolate VPN subnet form the rest of the network. Only VPN clients of that subnet can communicate to each other.

I have managed to write those commands:
iptables -I FORWARD -i oet2 -j DROP
iptables -I FORWARD -o oet2 -j DROP
iptables -I FORWARD -s $(nvram get oet2_ipaddrmask) -d $(nvram get oet2_ipaddrmask) -j ACCEPT

But I am not completely satisfied... gateways of other subnets are still reachable (eg. DDWRT GUI on 192.168.1.1).

How would you write the iptables commands for this problem?
What is the best practice to achieve that?

[uvz123a]

Anybody?

[egc]

Not sure what you want, you mention two VPN subnets, do you have two WireGuard tunnels or do you have two subnets on your routers which you want to route?

[uvz123a]

Thanks for reply that I wasn't clear enough. I will try to explain a bit more.

I have two Wireguard tunnels (of course on different subnets) and they are configured independently. First tunnel is not subject of this topic.

I am just asking for the second tunnel, how to achieve total isolation from the rest of the network. Like it is the switch (without WAN connection) in the locked room with some computers. Computers can communicate to each other, but can not communicate outside tunnel. Also other devices outside this tunnel/subnet can not reach devices/computers in that tunnel.

[egc]

The WireGuard tunnels indeed have different subnets otherwise it could not work.
I assume you have PBR running on both tunnels to differentiate which clients uses which tunnel.

It looks like you want to separate LAN clients from each other for this you have to research how to setup a Guest/IoT network on your router.
Lots of threads/wiki's available.