Can we make VPN listen on LAN only, not WAN and isolate users on multiple routers from each other?

[Doverton]

Hi,

I have two routers linked via ethernet to get good signal around the house. I want to isolate a few devices from the rest of the house LAN as they typically have badly behaving users (teenagers who load gods knows what onto their devices). These users can connect to either of the routers, which are all running the latest Merlin builds (thank-you). I've tried to stop them loading the nasty items on, but the latest trick is simply to move to SSL VPNs. I don't have the capability to ensure they do not load bad actor software. so I'm looking for a solution. if this was my work, employment policy would work, but teenagers are a different kettle of fish!

I believe the only way to achieve this is using the following setup:
1) Primary router with internet connection
- OpenVPN server connecting to the internet with isolation enabled
- OpenVPN client connecting to the OpenVPN server above
- policy based routing (eg x3m)
2) Second router, connected via ethernet cable to Primary router:
- OpenVPN client connecting to the server on the Primary router
- Policy based routing (eg (x3m)

However, I do not want the OpenVPN server exposed to the internet otherwise it becomes an attack surface, so how can I block this from listening on the WAN?

Also, if there is an easier or better way to do this, please do let me know.

P.S. If anyone knows how to stop SSL VPNs from LAN clients, that would be awesome too

Thanks

David

 

[elorimer]

Hi,

I have two routers linked via ethernet to get good signal around the house. I want to isolate a few devices from the rest of the house LAN as they typically have badly behaving users (teenagers who load gods knows what onto their devices). These users can connect to either of the routers, which are all running the latest Merlin builds (thank-you). I've tried to stop them loading the nasty items on, but the latest trick is simply to move to SSL VPNs. I don't have the capability to ensure they do not load bad actor software. so I'm looking for a solution. if this was my work, employment policy would work, but teenagers are a different kettle of fish!

I believe the only way to achieve this is using the following setup:
1) Primary router with internet connection
- OpenVPN server connecting to the internet with isolation enabled
- OpenVPN client connecting to the OpenVPN server above
- policy based routing (eg x3m)
2) Second router, connected via ethernet cable to Primary router:
- OpenVPN client connecting to the server on the Primary router
- Policy based routing (eg (x3m)

However, I do not want the OpenVPN server exposed to the internet otherwise it becomes an attack surface, so how can I block this from listening on the WAN?

Also, if there is an easier or better way to do this, please do let me know.

P.S. If anyone knows how to stop SSL VPNs from LAN clients, that would be awesome too

Thanks

David

Have a look here at YazFi.

 

[Doverton]

Have a look here at YazFi.

Thanks Elorimer,

I have looked at YazFi and it inspired me, however it has several restrictions. It requires me to set up a separate wifi for these users. I'm trying to avoid that. Also, from the 2nd router, how do I keep the traffic in isolation if there is no tunnel. If I need to create a tunnel using a VPN to the 1st router, again, how do I stop the VPN listening on the WAN side?

Thanks

 

[elorimer]

You can try inserting in the custom config box

local xxx.xxx.xxx.xxx

with that being the ip of your router. Usually people are trying to do the opposite.

I don't really understand what you are trying to do. You have a physical cable from router 1 to router 2, and then you are going to connect them with a tunnel, so that someone else on connected to router 1 can't see the traffic from router 2?

 

[Doverton]

You can try inserting in the custom config box

local xxx.xxx.xxx.xxx

with that being the ip of your router. Usually people are trying to do the opposite.

I don't really understand what you are trying to do. You have a physical cable from router 1 to router 2, and then you are going to connect them with a tunnel, so that someone else on connected to router 1 can't see the traffic from router 2?

I am not worried about all users on the routers, just 2 teenagers who have added SSL VPN software to their devices. One solution would be to add guest wireless on both routers, but the users could simple switch wifi SID. I've experienced users putting rogue devices onto networks in my working environments and since these users are now obscuring all their traffic, I don't feel comfortable that the "be good and don't install software from unknown sources" mentoring is going to stick if some future malware has something shiny attached to it. For that reason I would rather selectively route certain users down some form of isolated path where they can't do damage to the network or other devices and doesn't rely on forcing them into Guest wifi. If I was to use the Guest Wifi, how is traffic on the 2nd router secured as it goes over ethernet to Router 1 to ensure malware can't try to break out?

As I know the IP addresses of their devices, policy based routing is possible, however I can't figure out how to do it. Both YazFi and x3m seem to work on the option of an OpenVPN client to route traffic down, but I don't have a server to connect to. So, what I want is a way to host the OpenVPN on router1 and have it just route the traffic to the internet without it being something someone on the internet can try to log in via.

Does this picture help? I'm trying to make it so that the untrusted users can use all the same infrastructure, but can't access anything else, no matter which router they connect to. If connecting to a guest network would work, remember that Router 2 does not have an internet connection - all comms go over the LAN connections.

As I said, I think x3m can do this for me if I create a VPN Server on Router 1, but I would then like to ensure that the Server is only available on the LAN, not the WAN.

Thanks

 

[octopus]

The best thing is block theirs ip to ssl VPN servers. Use nslokup to se what ip is in use.

 

[netware5]

The best thing is block theirs ip to ssl VPN servers. Use nslokup to se what ip is in use.

If these teenagers are smart enough and properly motivated, nothing will stop them. They may change the VPN servers they use and use VPN to port 443, which should not be filtered. I thing the OP needs to learn how to implement the Great Firewall of China methods, which definitely requires implementation of DPI

 

[Doverton]

If these teenagers are smart enough and properly motivated, nothing will stop them. They may change the VPN servers they use and use VPN to port 443, which should not be filtered. I thing the OP needs to learn how to implement the Great Firewall of China methods, which definitely requires implementation of DPI

That is my problem. They are using one of the VPN firewalls that uses SSL VPN, i.e. port 443 and the web site SNI is a lie, so for example, the SNI says teams.microsoft.com, but that is not the real destination. This is why I want to secure them inside a tunnel. The kids are clever enough to search "how to access web sites blocked by my school wifi", but not clever enough to recognise phishing and malware. And the IP address list runs into hundreds of IP addresses and changes daily.

So, restricting these guys is my best bet rather than trying to stop them using their tools.