Menu
What's new
By:
Filters Better Search

Firewall Rules - Block all connections except VPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

C

c744ebc7-01f6-47a3-bd84-6

New Around Here
I am currently using an ASUS router (RT-AC68U with Merlin firmware - 386.4). I want to connect a single client to an OpenVPN server with no traffic other than the VPN allowed. I don't want to use the OpenVPN client in the router as speeds are low when using the VPN, so I'm looking to use an OpenVPN application on the client to connect to the server. I want to make sure that only the VPN traffic is allowed from the client.

How do I do that? Should I create a firewall rule that blocks all traffic from the client and another one with higher priority that allows connection to the VPN server's IP address? If that is the case, how do I create firewall rules in the router's web interface?

If I need to use iptables to create firewall rules, can someone help me with that or give me some links to a beginner's guide?
 
Just use the PC client to connect and by default everything from the PC is tunneled.

If you want speed though use wireguard as it will get you closer to the actual speed you're paying for.
 
Tech Junky said:
Just use the PC client to connect and by default everything from the PC is tunneled.

If you want speed though use wireguard as it will get you closer to the actual speed you're paying for.
Click to expand...
Is there any way to ensure that everything is tunneled using the router? Having that separation from the client will give me additional peace of mind.

Speed is fine when using OpenVPN on the client, but it doesn't hurt to use WireGuard.
 
Many if not most VPN applications that run on a PC have a kill switch setting so if the tunnel goes down your connection to the WWW is blocked.
 
c744ebc7-01f6-47a3-bd84-6 said:
Yes, but I would like to have an additional layer of security/protection.
Click to expand...
What exactly are you talking about here?

Either you're fully encrypted in a tunnel or you're not. There's no in between.

There are some stupid providers though that leak DNS / webRTC info though.

restoreprivacy.com

VPN Tests - How to Check if Your VPN is Working in 2024

Never trust a VPN without testing it. This guide shows you how to test your VPN for DNS leaks, IP address leaks, WebRTC leaks, and speed.
restoreprivacy.com restoreprivacy.com
 
As I understand it, the OP wants the client to host the OpenVPN client for performance reasons, but somehow have the *router* ensure the client is actually using its OpenVPN client.

The only thing I can suggest is perhaps determining what are the valid OpenVPN servers available from the OpenVPN provider, then limiting the client to those specific servers, and perhaps based on UDP vs. TCP as well. IOW, the reverse to what you more typically see, where the router would block access to a VPN on the same basis.

Code: 
iptables -I FORWARD -i br0 -s 192.168.1.100 -j REJECT
iptables -I FORWARD -i br0 -s 192.168.1.100 -d 177.177.177.177 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.100 -d 188.188.188.188 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.100 -d 199.199.199.199 -j ACCEPT

Or if you wanted to be even more specific ...

Code: 
iptables -I FORWARD -p udp -i br0 -s 192.168.1.100 -j REJECT
iptables -I FORWARD -p udp -i br0 -s 192.168.1.100 -d 177.177.177.177 --dport 1194 -j ACCEPT
iptables -I FORWARD -p udp -i br0 -s 192.168.1.100 -d 188.188.188.188 --dport 1194 -j ACCEPT
iptables -I FORWARD -p udp -i br0 -s 192.168.1.100 -d 199.199.199.199 --dport 1194 -j ACCEPT

These would need to be added using a firewall-start script.

P.S. Sorry, I had originally wrote those rules incorrectly. I just modified them.
 
Last edited:
Another option is a separate dedicated device for the vpn, such as a gl.inet mango travel router. They fit in a shirt pocket, run a gl.inet custom version of open-wrt and handle vpn duty like a champ among many other things. It has long been my belief that running a vpn ON the device you are trying to protect is less than ideal. The pc knows where it is and what real network it is on, so could be compromised. Boot the pc behind a stand-alone vpn device and even if the pc is compromised, it reveals nothing. Overkill? Probably, but why not it's only money and more cool gadgets.
 
You must log in or register to reply here.

Similar threads

B
Firewall lan - vpn?
Replies
0
Views
275
blast
B
H
Does firewall-start Script Ever Run Twice With Same iptables Rules?
Replies
13
Views
930
drinkingbird
drinkingbird
D
How to restrict VPN network access to certain IP Range or Hosts for specific VPN client
Replies
8
Views
503
ZebMcKayhan
Z
G
VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN
Replies
4
Views
404
Grefyne
G
H
Does VPN Director Use Routes or IPTables Rules To Route Clients Over a VPN Connection?
Replies
5
Views
598
HarryMuscle
H
Similar threads
Thread starter Title Forum Replies Date
H Does firewall-start Script Ever Run Twice With Same iptables Rules? Asuswrt-Merlin 13
G Problem with Firewall rules for internal connections! Asuswrt-Merlin 18
fffddd URL filtering in the firewall does not take effect Asuswrt-Merlin 7
G Feature request: firewall url filter log Asuswrt-Merlin 0
B Firewall lan - vpn? Asuswrt-Merlin 0
John Tetreault How to open ipv6 firewall to a port on the router? Asuswrt-Merlin 4
C Port Forwarding and Firewall - not working as I expect Asuswrt-Merlin 4
C IPv4 Firewall/Port-Forwarding - Appear to be the same thing on Asuswrt Asuswrt-Merlin 4
colourofsound Asus-Merlin Firewall Asuswrt-Merlin 24
H Solved Beginners firewall question. Asuswrt-Merlin 6

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 789 (members: 22, guests: 767)
Top