Guest Network Can Use OpenVPN Client

[Mike S]

I have an Asuswrt-Merlin router running Version 384.14.2. I have an OpenVPN client configured connected to another remote Asus router.

When I connect to the guest wifi network on my local router, I can access the internet, but, as expected, I can not access any devices connected to the main LAN network. However, a guest can access network devices connected to the remote router via the OpenVPN tunnel that is configured on the local router.

Am I doing something wrong or is this a bug? The logical intent of a guest wifi connection is that only the internet should be accessible. How can I prevent the guest from having access to my VPN tunnel?

 

[L&LD]

The VPN tunnel is on the internet.

 

[Mike S]

The VPN tunnel is on the internet.

I'm not sure of what you mean by that. The logical intent of a Guest Network is to provide a connection to the internet for the guest, but to isolate the guest from accessing anything else on your network.

When I setup a VPN connection from my local router to my office location, I certainly don't want a guest to get access to my office LAN thru the VPN tunnel.

How do I setup a guest network, and restrict the guest from using any of my VPN tunnels?

 

[L&LD]

Specify which client can use the VPN, excluding all others.

 

[Mike S]

Specify which client can use the VPN, excluding all others.

On my local router, all computers connected to the LAN ports and the regular WiFi SSIDs have full access to other devices connected to the LAN (including WiFi), the internet, via the WAN interface, and to the OpenVPN tunnel that I have configured to my office router.

A computer connected to the guest WiFi SSID on my local router has access to the internet via the WAN port, but does NOT have access to other devices connected to the LAN ports, or the regular WiFi SSIDs.

My expectation is the guest WiFi devices would also NOT have access to my office network via the OpenVPN tunnel. However, this is not the case. Guests are able to freely use the VPN tunnel to my office router to access all devices located on my office LAN.

This is TOTALLY unexpected and should be classified as a serious bug in the Asuswrt-Merlin firmware. Guests should only have access to the internet, and should NOT be able to access any other networks via VPN tunnels.

 

[L&LD]

What router do you actually have?

I suspect your configurations or your assumptions are incorrect.

You may want to provide a more detailed view of your set up.

 

[Mike S]

What router do you actually have?

I suspect your configurations or your assumptions are incorrect.

You may want to provide a more detailed view of your set up.

I have an RT-AC68U running Asuswrt-Merlin ver 384.14.2.

This problem is really simple to replicate:

1. Configure a local Asus Router with both regular and Guest SSIDs.

2. Create an OpenVPN client connection to a remote Asus Router. Make sure that the two routers are configured with different LAN subnet addresses, so you don't have any conflicts.

3. While connected to the local router with a laptop, ping the remote router, other devices on the local LAN, and sites on the internet. All the pings work.

4. Connect your laptop to the local router's guest WiFi SSID. Try the same pings as in step 3. Pinging the internet works. Pinging other devices on the local LAN does NOT work (which is correct). Pinging the remote router works (this is THE problem).

 

[L&LD]

The remote router is on the internet, as mentioned before.

You need to specify which devices get access to the OpenVPN tunnel if you want to limit its access. Or specifically, deny any you don't want to have access through the VPN.

 

[Mike S]

The remote router is on the internet, as mentioned before.

You need to specify which devices get access to the OpenVPN tunnel if you want to limit its access. Or specifically, deny any you don't want to have access through the VPN.

Please just answer the question. The remote router's LAN is NOT accessible from the internet, except thru the OpenVPN tunnel from my local router.

Semantics aside, how do I set up the local router so that users connected thru the guest WiFi SSID do NOT have access to OpenVPN tunnels?

If that is not possible, how do I submit a bug report so this can get fixed in a future version of the firmware?

 

[Martineau]

2. Create an OpenVPN client connection to a remote Asus Router. Make sure that the two routers are configured with different LAN subnet addresses, so you don't have any conflicts.

What Selective Routing rules have you defined/enforced for the VPN Client?

echo -e "\n\t"RPDB Rules;ip rule;echo;for I in 1 2 3 4 5;do [ -n "$(nvram get vpn_client${I}_addr)" ] && echo -e "\t"Client ovpnc$I port $(nvram get vpn_client${I}_port) $(nvram get vpn_client${I}_proto) || echo -e "\t"Client ovpnc${I} NOT configured;ip route show table 11$I |  grep -E "^0\.|^128.|^default|^prohibit|tun1";done;echo -e "\n\t"Table main;ip route show table 254 | grep -E "^0\.|^128.|^default"""

 

[Mike S]

What Selective Routing rules have you defined/enforced for the VPN Client?

echo -e "\n\t"RPDB Rules;ip rule;echo;for I in 1 2 3 4 5;do [ -n "$(nvram get vpn_client${I}_addr)" ] && echo -e "\t"Client ovpnc$I port $(nvram get vpn_client${I}_port) $(nvram get vpn_client${I}_proto) || echo -e "\t"Client ovpnc${I} NOT configured;ip route show table 11$I |  grep -E "^0\.|^128.|^default|^prohibit|tun1";done;echo -e "\n\t"Table main;ip route show table 254 | grep -E "^0\.|^128.|^default"""

I'm just a basic user trying to set this up with the GUI. I haven't setup any selective routing rules for the OpenVPN client. I don't know how you would even do that. If the WiFi Guest SSIDs used a different DHCP address pool than the regular SSIDs, you could use that to setup special routing policies in the OpenVPN client, but that won't work because all the WiFi connections use a single DHCP address pool.

This looks to me like a simple bug. The whole purpose for Guest WiFi access is to limit the Guest to the WAN internet port only, and to prohibit the guest from accessing anything else in your personal network. Stopping your guests from using your VPN tunnels should be the default configuration.

 

[Martineau]

I'm just a basic user trying to set this up with the GUI. I haven't setup any selective routing rules for the OpenVPN client. I don't know how you would even do that. If the WiFi Guest SSIDs used a different DHCP address pool than the regular SSIDs, you could use that to setup special routing policies in the OpenVPN client, but that won't work because all the WiFi connections use a single DHCP address pool.

This looks to me like a simple bug. The whole purpose for Guest WiFi access is to limit the Guest to the WAN internet port only, and to prohibit the guest from accessing anything else in your personal network. Stopping your guests from using your VPN tunnels should be the default configuration.

Can you copy'n'paste the command and post the results.

 

[L&LD]

How would guests know to ping to your target VPN servers? They won't unless you tell them.

A VPN is not part of the LAN, it is part of the internet. Look into YazFi to further lock down your guest clients (you can put them on a different subnet).

https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

How it is working now is how it is supposed to work. Your assumptions need to be modified.

 

[Mike S]

How would guests know to ping to your target VPN servers? They won't unless you tell them.

A VPN is not part of the LAN, it is part of the internet. Look into YazFi to further lock down your guest clients (you can put them on a different subnet).


https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

How it is working now is how it is supposed to work. Your assumptions need to be modified.

My assumptions are what most non-technical users would have. Whether or not a VPN is part of the LAN or Internet may be an interesting question for an IT professional, but for us simple folks, it's more basic than that. We want to have guest access to our networks, so our guest can get access to the internet. NOTHING else.

Our guest may not be smart enough to sniff out our VPN servers and our office networks, but if they have an infected laptop, the malware is certainly smart enough to find holes in the network and do a LOT of damage.

 

[L&LD]

@Mike S, I am not disagreeing with you. But you need to decide if you will take the steps necessary to have your network do as you want, or, you should disable the VPN connection when Guest clients are connected.

Like I have suggested many times, your assumptions are not correct with reality. You will need to align yourself as you see fit.

Most non-technical users would not be using a VPN connection in the first place.

These rules are not arbitrary. It is the basis of how the entire system works.

 

[dathbe]

Specify which client can use the VPN, excluding all others.

How exactly would one go about doing this? Is this on the VPN client side (I see no options in the Asus GUI for configuring something like this) or on the VPN server side (since the Asus router is the client, I'm not sure what blocking other clients would do)? I take your point about the VPN being "on the internet" -- and there are plenty of VPN use cases where you WOULD want your guest wifi to access the VPN, but when it's connected to remote LAN resources it's not desirable, so I'd like a bit more information on how I would lock it down so my guests can't access my remote LAN resources. Thanks!

P.S. I'm on stock Asus firmware with an RT-AX88u primary router as the VPN client.

 

[dathbe]

To (sort of) answer my own question, it appears that the newer versions of Asus software change the VPN client to something called "VPN Fusion", which does give you the ability to assign only certain devices to a VPN connection.