What's new

asus rt-ac56r openvpn server allow internet only

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Bob Wu

Occasional Visitor
I'm new to networking and trying to setup an openvpn server which allows two vpn clients, one user to access both WAN and LAN, and the other WAN only. With Martin's help on the asus wireless forum, I've figured out a solution to do this using static IP. My LAN subnet is 10.0.0.0/24 and VPN subnet is 10.8.0.0/24. Here is my solution so far,
1. Use Merlin firmware web GUI to setup openvpn server 1 with "internet and local network" access, add the following custom configuration,
Code:
script-security 2
--client-connect "/bin/sh /jffs/scripts/onconnect.sh"
--client-disconnect "/bin/sh /jffs/scripts/ondisconnect.sh"
--client-config-dir /jffs/scripts/ccd
2. in /jffs/scripts/ccd directory, create user1 and user2 files, to assign specific IP for each user
Code:
cat user1
ifconfig-push 10.8.0.2 255.255.255.0

cat user2
ifconfig-push 10.8.0.252 255.255.255.0
3. When user2 connects, add firewall rule to block LAN access in onconnect.sh
Code:
cat onconnect.sh
...
if [ "$common_name" = "user2" ]; then
    #WAN only clients, adding firewall rules to block LAN access
    iptables -D OVPN -i tun21 -s 10.8.0.252/30 -o br0 -j DROP
    iptables -I OVPN -i tun21 -s 10.8.0.252/30 -o br0 -j DROP
fi
...
After the change, firewall rules look like,
Code:
 iptables -S |grep tun
-A OVPN -s 10.8.0.252/30 -i tun21 -o br0 -j DROP
-A OVPN -i tun21 -j ACCEPT
-A other2wan -i tun+ -j RETURN
4. No change to the routes, and it looks like
Code:
route
...
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        *               255.255.255.0   U     0      0        0 br0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun21

I've tested and this solution works well. Hopefully someone here can help me to improve the solution,
a. How do I achieve my goal using different subnets, say 10.9.0.0/24, rather than specific IP 10.8.0.252 for user2? When I tried this with ccd/user2 file "ifconfig-push 10.9.0.2 255.255.255.0", I couldn't access LAN or WAN even before step 3.
b. on client side it still has the route "10.0.0.0/24 -> 10.8.0.1 dev tun0". How do I stop pushing it to client side w/o changing the other routes such as "default -> 10.8.0.1 dev tun0"?
c. Any other bugs/improvement you can think of in the solution above?

Thanks a lot!
 
a. How do I achieve my goal using different subnets, say 10.9.0.0/24, rather than specific IP 10.8.0.252 for user2? When I tried this with ccd/user2 file "ifconfig-push 10.9.0.2 255.255.255.0", I couldn't access LAN or WAN even before step 3.
/ccd/user2
Code:
ifconfig-push 10.9.0.2 255.255.255.0
push route 10.9.0.2 255.255.255.0
b. on client side it still has the route "10.0.0.0/24 -> 10.8.0.1 dev tun0". How do I stop pushing it to client side w/o changing the other routes such as "default -> 10.8.0.1 dev tun0"?
/ccd/user2
Code:
push-remove 'route 10.0.0.0'
NOTE: I believe the client side could still re-add the removed route anyway?o_O
c. Any other bugs/improvement you can think of in the solution above?
The CIDR notation 10.8.0.252/30 actually covers four IP addresses (.252,.253.,254 and .255) did you mean a single IP? if so then it should be 10.8.0.252/32
 
Last edited:
a. I did what you suggested but vpn client still can't ping either LAN or WAN, even before step 3. I had to manually add route "default -> 10.9.0.1" on client side to make it work. How do I push this default gateway to client side?
b. yes, that push-remove thing works! Client can definitely add it back, but not everyone knows it:)
c. that was intentional, as I plan to create 4 WAN only users.
d. I have "Advertise DNS to clients" option enabled, however, when I do "nmcli device show tun0|grep DNS" on vpn client, it returns nothing
e. I noticed that on vpn client I have two default gateways,
Code:
default->10.8.0.1 metric=50 dev=tun0
default->client's own ISP metric=600 dev=wireless0
While this does allow all client internet traffic to go to vpn server, what will happen if the metric for client's own ISP gateway is somehow below 50?
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top