Posted: Thu Aug 29, 2019 14:20 Post subject: Client connectivity 1 through VPN 1 not through vpn
Quick question regarding openvpn on Dd-WRT. I recently setup a system in my house where I have one router connected to a modem and the router is running Dd-wrt with openvpn with only specific ips going through the VPN. I have my nas connected to a separate router (in access point mode) which has a static ip outside the ip range which is going through the VPN. In addition I have a computer which is connected to the VPN and has a static ip. All are under the same subnet.
My question is, as I can still see my nas (not connected to the VPN) when under my network tab in Windows from my computer (which is connected to the VPN), is my computer's traffic still protected? I thought that since one client has an IP which is going through the VPN and the the other client is not going through the VPN then they shouldn't be able to talk to each other, right? Or am I wrong since they are under the same subnet?
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Thu Aug 29, 2019 15:25 Post subject:
You are wrong
Traffic from your PC goes to the router and the router knows where the NAS is because it has a local route to its own subnet (and to the next hop)
(you must be using something else then the standard DDWRT PBR because the local routes are not present in the PBR routing table)
Traffic from your PC goes to the router and the router knows where the NAS is because it has a local route to its own subnet (and to the next hop)
(you must be using something else then the standard DDWRT PBR because the local routes are not present in the PBR routing table)
However if the VPN goes down you are no longer protected unless you implement a kill switch
You live and learn lol,right?
When you say that I must be using something else then the standard DDWRT PBR because the local routes are not present in the PBR routing table, what do you mean by it? I was able to get the PBR going via the instructions found here https://www.jeremybarr.ca/blog/2015/07/30/using-vpn-ip-range-ddwrt.
I do have a VPN kill switch via this command:
iptables -I FORWARD -s 192.168.1.64/26 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
But in the end, am I protected based on how I currently have my network setup?
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Sat Aug 31, 2019 15:47 Post subject:
llFawkes17ll wrote:
egc wrote:
You are wrong
Traffic from your PC goes to the router and the router knows where the NAS is because it has a local route to its own subnet (and to the next hop)
(you must be using something else then the standard DDWRT PBR because the local routes are not present in the PBR routing table)
However if the VPN goes down you are no longer protected unless you implement a kill switch
You live and learn lol,right?
When you say that I must be using something else then the standard DDWRT PBR because the local routes are not present in the PBR routing table, what do you mean by it? I was able to get the PBR going via the instructions found here https://www.jeremybarr.ca/blog/2015/07/30/using-vpn-ip-range-ddwrt.
I do have a VPN kill switch via this command:
iptables -I FORWARD -s 192.168.1.64/26 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
But in the end, am I protected based on how I currently have my network setup?
Kill switch is fine blocking the following IP range:
64 -127
You are using the standard PBR from DDWRT (probably entered 192.168.1.64/26 in the PBR field
The alternate routing table usually does not have local routse so you might have trouble finding devices on the local network for clients in PBR range.
For an explanation see my signature at the bottom of this post: "simple PBR script" there are two solutions the easiest is to use the table-fix script from @eibgrad see: https://pastebin.com/YwnHLqaa
Traffic from your PC goes to the router and the router knows where the NAS is because it has a local route to its own subnet (and to the next hop)
(you must be using something else then the standard DDWRT PBR because the local routes are not present in the PBR routing table)
However if the VPN goes down you are no longer protected unless you implement a kill switch
You live and learn lol,right?
When you say that I must be using something else then the standard DDWRT PBR because the local routes are not present in the PBR routing table, what do you mean by it? I was able to get the PBR going via the instructions found here https://www.jeremybarr.ca/blog/2015/07/30/using-vpn-ip-range-ddwrt.
I do have a VPN kill switch via this command:
iptables -I FORWARD -s 192.168.1.64/26 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
But in the end, am I protected based on how I currently have my network setup?
Kill switch is fine blocking the following IP range:
64 -127
You are using the standard PBR from DDWRT (probably entered 192.168.1.64/26 in the PBR field
The alternate routing table usually does not have local routse so you might have trouble finding devices on the local network for clients in PBR range.
For an explanation see my signature at the bottom of this post: "simple PBR script" there are two solutions the easiest is to use the table-fix script from @eibgrad see: https://pastebin.com/YwnHLqaa
Or use my script for PBR
Is my computer which is in the PBR, but still (somehow lol) has access to my nas which is outside the PBR, protected when the VPN is on?