Disable "Bypass LAN Same-Origin Policy" your LAN clients should have their own firewall which can/should block access from all non local subnets e.g. it should block the OVPN servers subnet as that is not their own local subnet.
In these case I should assign an IP to each client in order to make the firewall rules. Am I rigth?
You can set access rules on the local lan clients either to allow just one client e.g.10.8.0.254/32 or allow the whole subnet 10.8.0.0/24.
Alternatively set MASQUERADING rules on the router per vpn client for a specific destination.
That is a kind of specific "Bypass LAN Same-Origin Policy"
Joined: 18 Mar 2014 Posts: 12507 Location: Netherlands
Posted: Thu Sep 28, 2023 7:04 Post subject:
In the GUI if you have: "Push Client route" set to "Default Gateway" then there is no need to push additional routes.
To restrict access you can do one of two things:
1. Disable Bypass LAN Same-Origin Policy and then rely on the firewall of the LAN clients to stop traffic of the VPN, normally well setup LAN clients will only accept traffic from the local subnet and not from the VPN subnet
2. If you are not sure or want to make sure only VPN traffic is forwarded to only one lan client you have to use a firewall rule on the router.
Normally all traffic form the VPN is allowed to be forwarded so you first have to stop that and then allow only the one LAN client you want
In the GUI if you have: "Push Client route" set to "Default Gateway" then there is no need to push additional routes.
To restrict access you can do one of two things:
1. Disable Bypass LAN Same-Origin Policy and then rely on the firewall of the LAN clients to stop traffic of the VPN, normally well setup LAN clients will only accept traffic from the local subnet and not from the VPN subnet
2. If you are not sure or want to make sure only VPN traffic is forwarded to only one lan client you have to use a firewall rule on the router.
Normally all traffic form the VPN is allowed to be forwarded so you first have to stop that and then allow only the one LAN client you want
I have not tested it so there might be typos or it does not apply to your situation or exact wishes but I hope you get the idea
Test from command line and if it works Administration > Commands and Save as Firewall
Hi ecg,
thank you for your help!
It works!
From VPN I can reach only my "bastion" PC.
This is what I did:
- I left "Push Client Route" to Server Subnet in order to push 192.168.10.x to the VPN.
This could be disable if I set up the forwarding rule?
- "Bypass LAN Same-Origin Policy" is Enable. I don't understant its meaning.
Joined: 18 Mar 2014 Posts: 12507 Location: Netherlands
Posted: Tue Oct 03, 2023 16:19 Post subject:
Fedex03 wrote:
Hi ecg,
thank you for your help!
It works!
From VPN I can reach only my "bastion" PC.
This is what I did:
- I left "Push Client Route" to Server Subnet in order to push 192.168.10.x to the VPN.
This could be disable if I set up the forwarding rule?
- "Bypass LAN Same-Origin Policy" is Enable. I don't understant its meaning.
- I added the rules you told me.
Is there someting I should modify?
Thank you for your help! Very appreciated!
You either push default default gateway, which means your client uses the VPN for all of its traffic or you push Servers Subnet meaning you only route VPN traffic when you want to connect to your server or NAS in your case and the VPN client uses the normal route for all other traffic.
The choice is yours.
Explanation is in the Server setup guide also about "Bypass LAN Same-Origin Policy"
If it works and you are satisfied you do not have to change anything.
