Forbid OpenVPN access from Guest WiFi

[netcatz]

Hi folks.

I'm running RT-AC68U with Merlin 380.70. I also have a OpenVPN client pushing several networks I need for work. The problem is, anyone within Guest WiFi can also access them too. OpenVPN is NOT my default gateway, so it's just a couple of networks.

I've tried to block guest with something like this

iptables -I INPUT -i wl0.1 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD -i wl0.1 -d 192.168.0.0/16 -j DROP

But it doesn't seem to work. Can you suggest me how to implement that? I don't want to create black/white lists for my/guest hardware, just block anyone from guest WiFi from accessing tun11 or something like that.

 

[agilani]

Hi folks.

I'm running RT-AC68U with Merlin 380.70. I also have a OpenVPN client pushing several networks I need for work. The problem is, anyone within Guest WiFi can also access them too. OpenVPN is NOT my default gateway, so it's just a couple of networks.

I've tried to block guest with something like this

iptables -I INPUT -i wl0.1 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD -i wl0.1 -d 192.168.0.0/16 -j DROP

But it doesn't seem to work. Can you suggest me how to implement that? I don't want to create black/white lists for my/guest hardware, just block anyone from guest WiFi from accessing tun11 or something like that.

How many guests? How secure? Easiest way would be to staticly assign ip's and only setup routes for the hosts you want using the vpn.

 

[netcatz]

Well, it's in a small office (~10 people). I don't want to constantly monitor new devices of my colleagues and add them on the fly, who brought his new iPad or her HP notebook etc.
Just a simple rule - if they know the password for the main WiFi they are ok. If they know only Guest WiFi pass - no access to VPN for them. I wonder why it's not in the core actually.

 

[netcatz]

I know that iptables physdev module can do the trick, but it isn't present for some reason.

 

[netcatz]

So, if you know the exact networks you wish to block you may do it as follows

firewall-start script:

#!/bin/sh

for iface in `nvram get wl0_vifs` `nvram get wl1_vifs`
do
  for net in 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
  do
    if ! $(ebtables -t broute -L | grep -q "p IPv4 -i $iface --ip-dst $net -j DROP"); then
      ebtables -t broute -I BROUTING -p IPv4 -i $iface --ip-dst $net -j DROP
    fi
  done
done

Unfortunatelly physdev module of iptables is not included in the kernel for some reason (it breaks IPTV or something like that).