Restrict VPN traffic INTO my network to 1 IP on my LAN?

[danbutter]

I have searched and read a lot and it seems that most people want to selectively route outgoing traffic.
I would like to do the opposite.
Two things I am trying to accomplish:
I have the first VPN server running and I connect to it just fine from my cell phone to access my home network. Works great.
Can I start the second VPN server (both openvpn) and have it let another person connect, but route them to a single IP on my LAN?
My goal is to share snapshots of one of my cameras via Blue Iris without doing port forwarding.
I would like to restrict their access to this single IP and port if possible. If I could do a specific URL that would be even better!

Is this possible?
FYI I have an RT-AC68U on the 380.69 firmware.

Thanks,
Dan

 

[Martineau]

Can I start the second VPN server (both openvpn) and have it let another person connect, but route them to a single IP on my LAN? My goal is to share snapshots of one of my cameras via Blue Iris without doing port forwarding.
I would like to restrict their access to this single IP and port if possible.

1.Define a unique OpenVPN Server client i.e. UserName and password for your friend in the GUI e.g. 'BlueIris/Guest123'

2. For OpenVPN Server 2 (listening on a different port than your OpenVPN Server 1 i.e. not 1194) set 'Username/Password Authentication=YES' in the GUI to enforce PW+Certificate authentication.

3. Assign a static IP (say 10.16.0.123) to client 'BlueIris' when it connects to your OpenVPN Server 2 using the GUI Custom Configuration 'client connect' script (see How to set a static IP to OpenVPN TUN clients )
i.e. Create client config file /jffs/configs/openvpn/ccd2/client_BlueIris

# Custom CCD directives for single common name 'client' user BlueIris
# Assign static I/P xxx.xxx.xxx.88 (Normally xxx.xxx.xxx=10.8.0 for VPN Server 1, and xxx.xxx.xxx=10.16.0 for VPN Server 2)
# NOTE: 'staticip' is NOT a valid OpenVPN directive, but it is an easy to remember psuedo command short-cut!
staticip 123

4. Install @john9527's openvpn-event template script /jff/scripts/openvpn-event (see openvpn-event script template)

5. Create the firewall rule to only allow the static 'BlueIris' IP address access to LAN resource server/port in script '/jffs/scripts/vpnserver2-up'
e.g. For OpenVPN Server 2 client IP address 10.16.0.123 restrict LAN access to ONLY Blue Iris Server TCP port 8081

#!/bin/sh

iptables -D FORWARD -i tun22 -o br0 -s 10.16.0.123 -j DROP
iptables -D FORWARD -i tun22 -o br0 -s 10.16.0.123 -p tcp --dport 8081 -d 192.168.1.123 -j ACCEPT

logger -st "($(basename $0))" $$ "Restrict 10.16.0.123 inbound from Openvpn 2 to ONLY the Blue Iris Server (192.168.1.xxx) TCP port 8081"
iptables -I FORWARD -i tun22 -o br0 -s 10.16.0.123 -j DROP
iptables -I FORWARD -i tun22 -o br0 -s 10.16.0.123 -p tcp --dport 8081 -d 192.168.1.123 -j ACCEPT

EDIT: Fixed typo in file name '/jffs/scripts/vpnserver2-up'

 

[danbutter]

Well first off thanks!
I have gotten 1 and 2 done for sure.
When doing 3 I followed the link and made a VPNClientConnect.sh file and client_config file as you said above with staticip 123.
Thing is I'm not sure what the file need to be. Should this be a .sh file as well?
This is as far as I have gotten so far.

Thanks for the help!

 

[Martineau]

Well first off thanks!
I have gotten 1 and 2 done for sure.
When doing 3 I followed the link and made a VPNClientConnect.sh file and client_config file as you said above with staticip 123.
Thing is I'm not sure what the file need to be. Should this be a .sh file as well?
This is as far as I have gotten so far.

Thanks for the help!

Check and post the output...

NOTE: To prevent being blocked , I have inserted '#' into the 'list' commands, and reference to directory 'etc' has spaces inserted

You should have the following three script files

l#s -lah /jffs/scripts/* | grep -iE "/openvpn|/vpnserver|clientconnect"

-rwxr-xr-x    1 admin    root       15.1K Dec 23 16:46 /jffs/scripts/VPNClientConnect.sh
-rwxr-xr-x    1 admin    root        2.9K Oct 17 08:33 /jffs/scripts/openvpn-event
-rwxr-xr-x    1 admin    root        2.1K Jun 26  2017 /jffs/scripts/vpnserver2-up

cat /jffs/scripts/vpnserver2-up

and client "BlueIris'" OpenVPN Server 2 CCD config file

l#s -lah /jffs/configs/openvpn/ccd2

-rw-r--r--    1 admin    root         822 Dec 23 13:16 client_BlueIris

cat /jffs/configs/openvpn/ccd2/client_BlueIris

If you have followed the instructions and correctly added the following to the OpenVPN Server 2 Custom Configuration GUI...

..when you restart OpenVPN Server 2 it will create its config file, and there should now be a reference to script 'VPNClientConnect.sh'

grep "^client" /e t c/openvpn/server2/config.ovpn

You should now attempt to connect to OpenVPN Server 2 using your phone, but if you do not supply the correct Username/password (together with a valid certificate) or you omit supplying the Username/password, then you will not be able to connect.

RT-AC68U daemon.err ovpn-server2[2838]: xxx.xxx.xxx.xxx TLS Error: Auth Username/Password was not provided by peer
RT-AC68U daemon.err ovpn-server2[2838]: xxx.xxx.xxx.xxx TLS Error: TLS handshake failed

If the static IP OpenVPN configuration is correct, then you should now see something similar in Syslog

Spoiler: Blue Iris assigned static IP 10.16.0.123

RT-AC68U daemon.notice ovpn-server2[11880]: OpenVPN 2.4.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 21 2018
RT-AC68U daemon.notice ovpn-server2[11880]: library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.08
RT-AC68U daemon.warn ovpn-server2[11881]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
RT-AC68U daemon.notice ovpn-server2[11881]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
RT-AC68U daemon.notice ovpn-server2[11881]: Diffie-Hellman initialized with 2048 bit key
RT-AC68U daemon.notice ovpn-server2[11881]: TUN/TAP device tun22 opened
RT-AC68U daemon.notice ovpn-server2[11881]: TUN/TAP TX queue length set to 100

RT-AC68U kern.info kernel: ADDRCONF(NETDEV_CHANGE): tun22: link becomes ready

RT-AC68U user.warn updown.sh[11886]: User openvpn-event running
RT-AC68U user.warn updown.sh[11886]:      Script executing.. for event: vpnserver2-up
RT-AC68U user.warn (vpnserver2-up): 11917 OpenVPN event 'up' (tun22) via 10.16.0.1 args


RT-AC68U daemon.notice ovpn-server2[11881]: xxx.xxx.xxx.xxx PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0

RT-AC68U daemon.notice ovpn-server2[11881]: xxx.xxx.xxx.xxx TLS: Username/Password authentication succeeded for username 'BlueIris'

RT-AC68U user.warn (VPNClientConnect.sh): 12605 v4.51 VPN Server 2 Client user 'BlueIris' CCD configuration starting.... [/tmp/openvpn_cc_4809b21e7d4d422c.tmp]
RT-AC68U user.warn (VPNClientConnect.sh): 12605 Processing Client_username file '/jffs/configs/openvpn/ccd2/client_BlueIris'
RT-AC68U user.warn (VPNClientConnect.sh): 12605 Psuedo command 'staticip' will assign I/P address 10.16.0.123 to Client user 'BlueIris'
RT-AC68U user.warn (VPNClientConnect.sh): 12605 VPN Server 2 Client user 'BlueIris' CCD config: ifconfig-push 10.16.0.123 255.255.255.0
RT-AC68U user.warn (VPNClientConnect.sh): 12605 VPN Server 2 Client CCD configuration ended.

RT-AC68U daemon.notice ovpn-server2[11881]: client/xxx.xxx.xxx.xxx OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4809b21e7d4d422c.tmp
RT-AC68U daemon.notice ovpn-server2[11881]: client/xxx.xxx.xxx.xxx MULTI: Learn: 10.16.0.123 -> client/xxx.xxx.xxx.xxx
RT-AC68U daemon.notice ovpn-server2[11881]: client/xxx.xxx.xxx.xxx MULTI: primary virtual IP for client/xxx.xxx.xxx.xxx: 10.16.0.123

 

[danbutter]

Ok again first off let me thank you for your help.
Now I haven't had time to mess with this for a couple months...life happened, death happened, more life and I'm sure you get the picture.

So I had some time today and I logged into the router and saw a new update available and applied that. Now running Merlin 384.4.
Don't know if there were any upgrades that would keep this from working or not, but thought I should mention it.

So I started from scratch today and did the whole thing over again. I formatted the JFFS via the radio button under administration and system tab.
I followed to the letter (or number) everything you posted.
In the end I got an error: Failed running command (--up/--down) and the OpenVPN server would not run.
Once I deleted the scripts from jffs/scripts and hit apply again it would run ok.

One thing I noticed is that the file size was very different for each of the scripts than what you have shown above. Where you had 15k I had 4k. You had 2.9k I had about 1k and where you had 2.1k I had like 450b. I just copied and pasted into notepad++ to save/make the files.

Any thoughts?