What's new

AC86U - VPN Server for Guest Network?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dwalls

New Around Here
TL;DR: Is it possible to set up a VPN server for a guest network specifically?

Longer version: I have a desktop machine provided by my employer that I want to isolate from the rest of my home network. It seems the easiest way to do that without having to purchase additional equipment is to create a guest network on the AC86U, specifically for this work machine, and then connect to that guest network via the wireless adaptor on the work machine. This is all fairly straightforward.

However, I also need remote access to that work machine via RDP. The easiest way to do that is to connect via VPN to the local network that the work machine is located on. I can create a VPN server on the AC86U just fine and connect to it, but that is for the LAN. Is there a way to configure the VPN server for access specifically to the guest network, or is this not possible?

I'm assuming VLAN's would be the more appropriate solution to what I am trying to do (can a VPN server be set up for individual VLAN's?), but there seems to be a lot more work involved on that front as, from my understanding, that functionality isn't natively supported by this router. I am willing to dive into that rabbit hole, if necessary, though.

Any insight here would be appreciated.
 
TL;DR: Is it possible to set up a VPN server for a guest network specifically?

Longer version: I have a desktop machine provided by my employer that I want to isolate from the rest of my home network. It seems the easiest way to do that without having to purchase additional equipment is to create a guest network on the AC86U, specifically for this work machine, and then connect to that guest network via the wireless adaptor on the work machine. This is all fairly straightforward.

However, I also need remote access to that work machine via RDP. The easiest way to do that is to connect via VPN to the local network that the work machine is located on. I can create a VPN server on the AC86U just fine and connect to it, but that is for the LAN. Is there a way to configure the VPN server for access specifically to the guest network, or is this not possible?

I'm assuming VLAN's would be the more appropriate solution to what I am trying to do (can a VPN server be set up for individual VLAN's?), but there seems to be a lot more work involved on that front as, from my understanding, that functionality isn't natively supported by this router. I am willing to dive into that rabbit hole, if necessary, though.

Any insight here would be appreciated.
You would be better off to run a desktop remote control on the work client such as TeamViewer.
 
I don't use the OEM/stock firmware, but given much (if not all) the guest network implementation is provided by ASUS, even when using Merlin, those guest clients should be available via the VPN server since isolation is only guaranteed between the guest and private network (e.g., 192.168.1.0/24). The OpenVPN server manages its own private network (e.g., 10.8.0.0/24) w/ no such restrictions.

Code:
admin@lab-merlin1:/tmp/home/root# ebtables -t broute -L
Bridge table: broute

Bridge chain: BROUTING, entries: 18, policy: ACCEPT
-p IPv4 -i wl0.2 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT 
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP 
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP 
-p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT 
-p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP 
-p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP 
-p IPv4 -i wl1.2 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT 
-p IPv4 -i wl1.2 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP 
-p IPv4 -i wl1.2 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP 
-p IPv4 -i wl1.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT 
-p IPv4 -i wl1.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP 
-p IPv4 -i wl1.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP 
-p IPv4 -i wl0.1 --ip-dst 192.168.101.1 --ip-proto icmp -j ACCEPT 
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto icmp -j DROP 
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto tcp -j DROP 
-p IPv4 -i wl1.1 --ip-dst 192.168.102.1 --ip-proto icmp -j ACCEPT 
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto icmp -j DROP 
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto tcp -j DROP

IOW, the guest networks should be just as accessible as the private network from the perspective of the OpenVPN server and its clients.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top