I'm new to networking and trying to setup an openvpn server which allows two vpn clients, one user to access both WAN and LAN, and the other WAN only. With Martin's help on the asus wireless forum, I've figured out a solution to do this using static IP. My LAN subnet is 10.0.0.0/24 and VPN subnet is 10.8.0.0/24. Here is my solution so far,
1. Use Merlin firmware web GUI to setup openvpn server 1 with "internet and local network" access, add the following custom configuration,
2. in /jffs/scripts/ccd directory, create user1 and user2 files, to assign specific IP for each user
3. When user2 connects, add firewall rule to block LAN access in onconnect.sh
After the change, firewall rules look like,
4. No change to the routes, and it looks like
I've tested and this solution works well. Hopefully someone here can help me to improve the solution,
a. How do I achieve my goal using different subnets, say 10.9.0.0/24, rather than specific IP 10.8.0.252 for user2? When I tried this with ccd/user2 file "ifconfig-push 10.9.0.2 255.255.255.0", I couldn't access LAN or WAN even before step 3.
b. on client side it still has the route "10.0.0.0/24 -> 10.8.0.1 dev tun0". How do I stop pushing it to client side w/o changing the other routes such as "default -> 10.8.0.1 dev tun0"?
c. Any other bugs/improvement you can think of in the solution above?
Thanks a lot!
1. Use Merlin firmware web GUI to setup openvpn server 1 with "internet and local network" access, add the following custom configuration,
Code:
script-security 2
--client-connect "/bin/sh /jffs/scripts/onconnect.sh"
--client-disconnect "/bin/sh /jffs/scripts/ondisconnect.sh"
--client-config-dir /jffs/scripts/ccd
Code:
cat user1
ifconfig-push 10.8.0.2 255.255.255.0
cat user2
ifconfig-push 10.8.0.252 255.255.255.0
Code:
cat onconnect.sh
...
if [ "$common_name" = "user2" ]; then
#WAN only clients, adding firewall rules to block LAN access
iptables -D OVPN -i tun21 -s 10.8.0.252/30 -o br0 -j DROP
iptables -I OVPN -i tun21 -s 10.8.0.252/30 -o br0 -j DROP
fi
...
Code:
iptables -S |grep tun
-A OVPN -s 10.8.0.252/30 -i tun21 -o br0 -j DROP
-A OVPN -i tun21 -j ACCEPT
-A other2wan -i tun+ -j RETURN
Code:
route
...
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 br0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun21
I've tested and this solution works well. Hopefully someone here can help me to improve the solution,
a. How do I achieve my goal using different subnets, say 10.9.0.0/24, rather than specific IP 10.8.0.252 for user2? When I tried this with ccd/user2 file "ifconfig-push 10.9.0.2 255.255.255.0", I couldn't access LAN or WAN even before step 3.
b. on client side it still has the route "10.0.0.0/24 -> 10.8.0.1 dev tun0". How do I stop pushing it to client side w/o changing the other routes such as "default -> 10.8.0.1 dev tun0"?
c. Any other bugs/improvement you can think of in the solution above?
Thanks a lot!