1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How can I restrict LAN access on my router's OpenVPN server? (RT-AC87U)

Discussion in 'ASUS Wireless' started by ziggyball, Apr 20, 2019.

  1. ziggyball

    ziggyball New Around Here

    Joined:
    Apr 20, 2019
    Messages:
    6
    Hi,

    I have setup the built in OpenVPN server and using "OpenVPN Connect" app I can access the internet and my LAN.

    My question is how do I restrict access to my LAN from the VPN connection?
    I have tried toggling the 'Push LAN to clients' option, in advanced settings, but this doesn't seem to make any difference.

    Any help with this would be much appreciated.

    I am using the standard firmware in RT-AC87U router. I am not great with networking so apologies if the answer is obvious.

    Thanks.
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,260
    Location:
    UK
    :confused: The whole point of a VPN server is to allow access to the LAN. If you don't want to do that don't use the VPN. :confused:
     
  3. ziggyball

    ziggyball New Around Here

    Joined:
    Apr 20, 2019
    Messages:
    6
    It's to access the UK internet (for iPlayer etc) when out of the country :)
     
  4. A.D.

    A.D. Regular Contributor

    Joined:
    Feb 15, 2016
    Messages:
    82
    You would have to specify what restriction you want to be applied. Time? Event? Certain LAN clients?

    Also, I assume you mean you want to restrict access to the VPN from your LAN, rather than the other way round?
     
  5. ziggyball

    ziggyball New Around Here

    Joined:
    Apr 20, 2019
    Messages:
    6
    I would assume the simplest thing would be just to restrict all VPN clients to only be able to access the internet through the router and not access any of my LAN clients, all of the time.

    My use case is that I want the VPN clients to be able to access my UK internet when out of the country. And I dont want any of the VPN clients to be able to access my LAN.
     
  6. A.D.

    A.D. Regular Contributor

    Joined:
    Feb 15, 2016
    Messages:
    82
    How do you identify the VPN clients? Is that a changing set of LAN clients, e.g. everyone who is curretnly connected? Or is it a fixed certain set of devices? Are they always connecing to e certain WLAN SSID? Or something else?
     
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,260
    Location:
    UK
    No, it's the other way around.
    As he stated in his reply to you, these are not LAN clients.
     
  8. ziggyball

    ziggyball New Around Here

    Joined:
    Apr 20, 2019
    Messages:
    6
    I am using the built-in openVPN sever and it looks like it gives them 10.8.0.x IP addresses rather than my standard 192.168.0.x IP addresses. So that could be a way of distinguishing?
     
  9. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,260
    Location:
    UK
    Maybe. What are you trying to prevent access to. Windows Firewall for example will block access from most devices unless they are on the same subnet (which would not be the case with a VPN client). RDP being the notable exception.
     
  10. ziggyball

    ziggyball New Around Here

    Joined:
    Apr 20, 2019
    Messages:
    6
    I am looking at blocking access to everything on the LAN. So I suppose it would be that anything in the VPN's 10.8.0.x IP address space can access everything (internet etc) except 192.168.0.x
     
  11. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,260
    Location:
    UK
    I can't think of a way of doing in through the GUI (but that doesn't mean there isn't one).

    If you are running Merlin's firmware instead stock then you could do it with a user script.
     
  12. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,163
    Location:
    UK
    The @RMerlin firmware has the GUI option:

    upload_2019-4-21_19-19-3.png

    which applies to any OpenVPN client (default 10.8.0.x/10.16.0.x) that connects to your OpenVPN server, but if you need greater control, you will need to assign static IP addresses to the clients, and use the openvpn-event script(s)
     
    HuskyHerder likes this.
  13. ziggyball

    ziggyball New Around Here

    Joined:
    Apr 20, 2019
    Messages:
    6
    Thanks Martineau - I'll look at this custom(?) firmware