[Solved] Allow VPN client to reach only PC

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Fedex03
DD-WRT User


Joined: 18 Nov 2010
Posts: 89
Location: Italy

PostPosted: Sun Sep 10, 2023 17:31    Post subject: [Solved] Allow VPN client to reach only PC Reply with quote
Hi there,

I have an OpenVPN server with several clients.
Each client can reach every service on br1 (included ddwrt interface).

I assigned a static IP to one of these clients and I would like to grant access to only one PC on a specific port the RDP (remote desktops) port.

Can someone help me with the iptable rules?

Thank you in advance!


Last edited by Fedex03 on Fri Oct 06, 2023 6:20; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12781
Location: Netherlands

PostPosted: Mon Sep 11, 2023 7:03    Post subject: Reply with quote
Disable "Bypass LAN Same-Origin Policy" your LAN clients should have their own firewall which can/should block access from all non local subnets e.g. it should block the OVPN servers subnet as that is not their own local subnet.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Fedex03
DD-WRT User


Joined: 18 Nov 2010
Posts: 89
Location: Italy

PostPosted: Mon Sep 11, 2023 15:23    Post subject: Reply with quote
egc wrote:
Disable "Bypass LAN Same-Origin Policy" your LAN clients should have their own firewall which can/should block access from all non local subnets e.g. it should block the OVPN servers subnet as that is not their own local subnet.


In these case I should assign an IP to each client in order to make the firewall rules. Am I rigth?

Thank you
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12781
Location: Netherlands

PostPosted: Mon Sep 11, 2023 15:51    Post subject: Reply with quote
You can set access rules on the local lan clients either to allow just one client e.g.10.8.0.254/32 or allow the whole subnet 10.8.0.0/24.

Alternatively set MASQUERADING rules on the router per vpn client for a specific destination.
That is a kind of specific "Bypass LAN Same-Origin Policy"

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Fedex03
DD-WRT User


Joined: 18 Nov 2010
Posts: 89
Location: Italy

PostPosted: Wed Sep 27, 2023 16:01    Post subject: Reply with quote
egc wrote:
You can set access rules on the local lan clients either to allow just one client e.g.10.8.0.254/32 or allow the whole subnet 10.8.0.0/24.

Alternatively set MASQUERADING rules on the router per vpn client for a specific destination.
That is a kind of specific "Bypass LAN Same-Origin Policy"


Hi ecg,

in my additional config of VPN Server, I added:

Code:
push "route 192.168.10.0 255.255.255.0 vpn_gateway"


to allow VPN Client to reach all br1 interface.

So if I would like to reach only one PC (on br1), I should:

1) remove the previous routing rule,
2) Disable Bypass LAN Same-Origin Policy
3) Add a rule for each VPN client.


So to allow only RDP client for a specific client, I can add this iptable to my Firewall settings:

Code:
iptables -I FORWARD -i 10.8.0.240 -o br1 -p tcp -d 192.168.10.10 --dport 3389 -j ACCEPT


Is this rule correct?

Thank you![/list][/code][/quote]
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12781
Location: Netherlands

PostPosted: Thu Sep 28, 2023 7:04    Post subject: Reply with quote
In the GUI if you have: "Push Client route" set to "Default Gateway" then there is no need to push additional routes.

To restrict access you can do one of two things:
1. Disable Bypass LAN Same-Origin Policy and then rely on the firewall of the LAN clients to stop traffic of the VPN, normally well setup LAN clients will only accept traffic from the local subnet and not from the VPN subnet

2. If you are not sure or want to make sure only VPN traffic is forwarded to only one lan client you have to use a firewall rule on the router.
Normally all traffic form the VPN is allowed to be forwarded so you first have to stop that and then allow only the one LAN client you want
Code:
iptables -I FORWARD -i tun2 -j REJECT
iptables -I FORWARD -i tun2 -p tcp -d 192.168.10.10 --dport 3389 -j ACCEPT


I have not tested it so there might be typos or it does not apply to your situation or exact wishes but I hope you get the idea Smile

Test from command line and if it works Administration > Commands and Save as Firewall

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Fedex03
DD-WRT User


Joined: 18 Nov 2010
Posts: 89
Location: Italy

PostPosted: Tue Oct 03, 2023 15:30    Post subject: Reply with quote
egc wrote:
In the GUI if you have: "Push Client route" set to "Default Gateway" then there is no need to push additional routes.

To restrict access you can do one of two things:
1. Disable Bypass LAN Same-Origin Policy and then rely on the firewall of the LAN clients to stop traffic of the VPN, normally well setup LAN clients will only accept traffic from the local subnet and not from the VPN subnet

2. If you are not sure or want to make sure only VPN traffic is forwarded to only one lan client you have to use a firewall rule on the router.
Normally all traffic form the VPN is allowed to be forwarded so you first have to stop that and then allow only the one LAN client you want
Code:
iptables -I FORWARD -i tun2 -j REJECT
iptables -I FORWARD -i tun2 -p tcp -d 192.168.10.10 --dport 3389 -j ACCEPT


I have not tested it so there might be typos or it does not apply to your situation or exact wishes but I hope you get the idea Smile

Test from command line and if it works Administration > Commands and Save as Firewall


Hi ecg,

thank you for your help!

It works!
From VPN I can reach only my "bastion" PC.


This is what I did:
- I left "Push Client Route" to Server Subnet in order to push 192.168.10.x to the VPN.
This could be disable if I set up the forwarding rule?

- "Bypass LAN Same-Origin Policy" is Enable. I don't understant its meaning.

- I added the rules you told me.

Is there someting I should modify?

Thank you for your help! Very appreciated!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12781
Location: Netherlands

PostPosted: Tue Oct 03, 2023 16:19    Post subject: Reply with quote
Fedex03 wrote:


Hi ecg,

thank you for your help!

It works!
From VPN I can reach only my "bastion" PC.


This is what I did:
- I left "Push Client Route" to Server Subnet in order to push 192.168.10.x to the VPN.
This could be disable if I set up the forwarding rule?

- "Bypass LAN Same-Origin Policy" is Enable. I don't understant its meaning.

- I added the rules you told me.

Is there someting I should modify?

Thank you for your help! Very appreciated!


You either push default default gateway, which means your client uses the VPN for all of its traffic or you push Servers Subnet meaning you only route VPN traffic when you want to connect to your server or NAS in your case and the VPN client uses the normal route for all other traffic.
The choice is yours.

Explanation is in the Server setup guide also about "Bypass LAN Same-Origin Policy"

If it works and you are satisfied you do not have to change anything.

Please mark the thread as Solved Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Fedex03
DD-WRT User


Joined: 18 Nov 2010
Posts: 89
Location: Italy

PostPosted: Fri Oct 06, 2023 6:23    Post subject: Reply with quote
Hi @ @ecg,

I read you guide again and now the "Bypass LAN Same-Origin Policy" is clear!

I think I keep it enabled and I use the firewall rule. I just wanto to avoid to deal with windows firewall rules (to accept connection from VPN).

Thank you for your help!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum