asus rt-ac56r openvpn server allow internet only

[Bob Wu]

Hi, I recently bought a asus rt-ac56r router for a home office and upgraded with the latest merlin firmware. Good thing is that the openVPN server was easy to setup, and the firmware (web interface) allows two options, 1. allow access to LAN only; or 2. allow access to LAN and to redirect internet traffic. My situation is that we want to have two different vpn users, one can access LAN and internet thru VPN but the other can only do internet (no access to LAN). The second user login can then be used in country like China or Iran hopefully to get around the government censorship w/o any risk of exposing internal network.

After some reading on the openvpn doc, I think the following might be able to get what we want,
1. setup openVPN server on asus router, select the "allow access to LAN and internet option"
2. create two user account, say, user1 and user2
3. in the customized vpn config box, add the "client-connect /jffs/scripts/connect.sh" line, and in connect.sh script somehow find out which user is connecting, then assign them different subnets
4. in firewall rule, allow one vpn subnet to access LAN, but disallow the other

Can someone here confirms if this method would work? also, what are the concrete commands I can use to achieve 3 and 4? Pretty new to networking, so please bear with me my simple questions.

Thanks!
Bob

 

[Martineau]

After some reading on the openvpn doc, I think the following might be able to get what we want,
1. setup openVPN server on asus router, select the "allow access to LAN and internet option"
2. create two user account, say, user1 and user2
3. in the customized vpn config box, add the "client-connect /jffs/scripts/connect.sh" line, and in connect.sh script somehow find out which user is connecting, then assign them different subnets
4. in firewall rule, allow one vpn subnet to access LAN, but disallow the other

Can someone here confirms if this method would work?

Should be possible.

I haven't reviewed my scripts to see what the two new GUI "allow access to LAN and internet option" does, but in previous firmwares, inbound connecting OpenVPN clients are allowed to 'passthru' the router outbound via one of the OpenVPN Clients using scripts or are restricted to only selected LAN resources etc.

what are the concrete commands I can use to achieve 3 and 4?

Rather than use subnets/VLANs I used the 'client-connect' script to assign a static address (from the GUI defined OpenVPN Server IP pool) to the inbound OpenVPN client and this is then used in the appropriate firewall rules.

You should be able to use my script as a template to see how it identifies the connecting user in order to then assign a static IP in this post:Instructions for using custom configuration openvpn server then simply add the additional code to meet your requirements.

e.g. I also posted further options OpenVPN Server with LAN Only?, so you should be able to quickly rewrite LAN Only to WAN Only?

P.S. Perhaps you should move this thread to the Asuswrt-Merlin forum?

 

[Bob Wu]

Thanks for the pointer, I've got step #3 figured out. Now my customized script can do different things for different vpn users. However since I am not a network expert, how do I get step #4 done? What commands should I add to the custom config file passed to my script, so that I could make user1 access both LAN and internet while user2 only internet?

BTW, I thought this thread would be helpful for both merlin and stock firmware users? If that isn't the case for openvpn, I'll be happy to move to another forum.

 

[Martineau]

BTW, I thought this thread would be helpful for both merlin and stock firmware users? If that isn't the case for openvpn, I'll be happy to move to another forum.

Whilst the OpenVPN scripting is indeed applicable to both the Official Asus and @RMerlin's firmware, since you have flashed his firmware, sometimes the scripting may stray into more advanced territory that requires features that are unique to his release and therefore a more appropriate forum?

What commands should I add to the custom config file passed to my script, so that user2 only internet

As per the 'lanonly' snippet I posted, invert blocking WAN access to blocking the LAN
i.e. Something like this maybe.....

# Was the 'wanonly' directive found?
if [ "$WANONLY" == "1" ];then
      logger -st "($(basename $0))" $$ "Psuedo command 'wanonly' will be applied to I/P" $IP_ADDR
      iptables -D FORWARD -i tun2${VPN_SERVER_ID} -s $IP_ADDR -o br0  -m state --state NEW -j DROP
      iptables -I FORWARD -i tun2${VPN_SERVER_ID} -s $IP_ADDR -o br0  -m state --state NEW -j DROP
fi

 

[Bob Wu]

Thanks for the additional tips. Will the "stopping br0" approach cause problem if both users are connected to vpn at the same time (the WAN only user would drop the LAN access for the other)? Because of this concern I'm trying to do the multiple subnet method but got stuck. Can you help to identify the problem?

1. On asus vpn server advanced settings page I use the default 10.8.0.0/24 for my vpn clients, and I setup two vpn users userAll and userWanOnly
2. Use asus custom configuration window to specify client-config-dir /jffs/scripts/ccd, and under ccd I have userWanOnly file which looks like the following,

ifconfig-push 10.8.1.1 10.8.1.2

userAll doesn't need a file here as it will simply get the default options
3. Add the 10.8.1.0 routes, along with the existing 10.8.0.0 one

10.8.0.0        *               255.255.255.0   U     0      0        0 tun21
10.8.1.0        *               255.255.255.0   U     0      0        0 tun21

4. Disable br0 for 10.8.1.0 subnet, now I have the following firewall rules associated with tun21

-A OVPN -i tun21 -j ACCEPT
-A other2wan -i tun+ -j RETURN
-A OVPN -i tun21 -s 10.8.1.0/24 -o br0  -j DROP

The first two rules are already there and I just added the last one

Now, the problem is that, userWanOnly vpn client can't access anything on LAN or WAN even before step 4. It can't ping 10.0.0.1 gateway. I've verified that client side route is correct.

Any thoughts on this? Maybe I need to reboot the router after step 3?

 

[Bob Wu]

Also, it seems that after a router reboot, my change in route and iptables are gone. How to make them sticky? a cron @reboot job?

 

[Martineau]

Also, it seems that after a router reboot, my change in route and iptables are gone. How to make them sticky? a cron @reboot job?

Use/create one of RMerlin's firmware User scripts but ideally you should try and ensure that the required route/iptable rules are applied dynamically based on OpenVPN events.

 

[Bob Wu]

Thank you so much for the help so far! I've figured out a solution based on static IP. Still can't get it work using subnets but I'm moving this conversation to the merlin forum as you suggested.