Posted: Sat May 08, 2021 20:33 Post subject: Block Guest Wifi access to certain static routes
Hey everyone Hope you're all doing OK.
So I have a R6400v2 on Firmware: DD-WRT v3.0-r44715
It is set up to be an OpenVPN Client.
The question I have is not really anything to do with OpenVPN I don't think, but rather firewall and routing.
At the moment, the setup is as follows:
Code:
[b]Server-side[/b]
Router LAN: 10.1.11.1 /// 10.1.11.0/24
VPN Server Box: 10.1.11.222
VPN Server Instance Listening on: 10.19.97.1 /// 10.19.97.0/24
[b]Client Side (My current router)[/b]
Router LAN: 10.3.11.1 /// 10.3.11.0/24 (Normal Wifi, Wired Devices use this DHCP Pool)
VPN Client IP: 10.19.97.2 (not static)
"1811 Guest" Network Subnet: 192.168.192.0/24
For value added, I have the following Additional Config for my DD-WRT OpenVPN Client
Code:
#Routes
# SERVER DOESNT NEED ROUTES BACK TO ITSELF
route 10.19.98.0 255.255.255.0
route 10.19.99.0 255.255.255.0
route 10.14.43.0 255.255.255.0
# Server-side LAN Route
route 10.1.11.0 255.255.255.0
#HK Routes
route 10.1.12.0 255.255.255.0
route 10.1.13.0 255.255.255.0
#UK Routes
route 10.2.11.0 255.255.255.0
route 10.2.12.0 255.255.255.0
#AU Routes
route 10.3.12.0 255.255.255.0
connect-retry 10 max
^^^^^^^I have this stuff because my OpenVPN Server is not configured to redirect-gateway by default. And for some reason unless the server pushes redirect-gateway by default, pushed routes and pushed DNS does not work for me. This is also a choice I made to dummy-proof the client config because there is little chance I will be expanding the network anytime soon.
Having manually configured routes forces DD-WRT to automatically create static routes for me in the routing table. For some reason Pushed routes do not do this.
As you can imagine, everything is fine about the VPN setup. My computer (10.3.11.119) can ping server-side machines (10.1.11.56) and vice versa perfectly.
But I want to be able to stop my 1811 Guests Wifi network from accessing ALL VPN resources/routes (Please see attached images for routing table)
I'm not sure how to start approaching this. Any help would be greatly appreciated Thank you <3
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sun May 09, 2021 8:52 Post subject:
Any particular reason why you are stuck on 44715?
There have been security fixes to OpenVPN on the latest release 46446
What you can try is to simply block access to the VPN interface for all traffic coming from the guest interface e.g.:
Code:
iptables -I FORWARD -i wl0.1 -o tun1 -j REJECT
Assuming that wl0.1 is the interface of the guest wifi and tun1 is the interface of the OVPN client.
Test from CLI and if it works then add to Administration/Commands Save firewall
Not really, I just haven't had time to update yet. People are using the internet.
Quote:
iptables -I FORWARD -i wl0.1 -o tun1 -j REJECT
Thanks for this, I'll give it a go and report back later in the evening and let you know how it works. I think I understand what this is doing a little better now though, sometimes you just need to ask a question and have a pro give you an example before you get it
Quote:
Furthermore your Gateway and Local DNS seem wrong, for normal gateway mode leave both at its default 0.0.0.0
I think this was an old habit from when I was very young learning to set up my own network devices (my family doesn't know much about this stuff)
I remember back in the day with the old TP link orLinksys routers they would already input the router IP itself as DNS and gateway.
Also if you do ipconfig on windows cmd prompt it says that too.
I understand now that those fields on DD-WRT is supposed to be for if you have a different dedicated device for DNS/gateway but I guess I just never thought about it because... well.. the internet still works. But thanks for pointing that out!
But... another quick question...
What does Masquerade/NAT actually do on my 1811 Guests Virtual AP? (see pic)
Many guides say to enable this for internet access but for some reason I tried both Enable and Disable my internet still works. Now I know this isn't really important as long as it works but I just want to know what it is doing behind the scenes to learn more and try to understand more about networking
I know Masquerade/NAT just means "one to many" as in you have multiple IPs behind a single device but I don't understand what it is doing in the context of the Virtual AP and setting up a guest network...How would you explain it?
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sun May 09, 2021 10:15 Post subject:
Normal traffic is NATtEd out via the WAN interface.
Most firmwares just NAT all local traffic out via the WAN, DDWRT however only NAT's its own local subnet out.
Posted: Sun May 09, 2021 11:55 Post subject: ooooo
Thanks for explaining!
It looks like there are a a fair bit of settings that just refuse to apply properly unless the router is rebooted.
I think two days ago when I first set up the VAP guest network it was enabled, then the internet was working etc.
But then out of curiosity I decided to disable it because I wanted to see what it does but I did not reboot. It made me think that maybe the option was broken because it did nothing.
But I just tried it again with a reboot in between and yup my internet dies if its Disabled
I didn't think it would matter for something so small, but oh well! The more you know.
Also,
Code:
iptables -I FORWARD -i wl0.1 -o tun1 -j REJECT
worked beautifully, thank you for that. Though I just quickly applied it while my GF was gaming and she yelled at me for breaking the wifi Lol
I think I need a break from all this networking stuff! Took me almost 2 weeks to finally settle on a clean OpenVPN server setup on an Ubuntu Box that does exactly what I need it to. It's a nice feeling knowing you did it all yourself, yknow? I love being able to ping any computer from anywhere, theres just so many uses for this site-to-site VPN stuff