How do I configure my OpenVPN server on my Asus router to allow spacific use by different clients

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

kwood30

New Around Here
I have set up a OpenVPN server on my Asus RT-AX82U router (Firmware version 3.0.0.4.386_45375) and it has automatically generated a Client.opvn file. But how do I now alter this file to allow certain access to my net work? I have a couple of servers, which also contain web services, and some clients I only want to have access to the one server with the web services. And other clients complete access to the whole network. I have tried to and searched for hours, but I cannot seem to find away (that i understand). Any help and advice would be greatly appreciated.
 

RMerlin

Asuswrt-Merlin dev
You can't. The VPN creates a tunnel between the remote end, and your network, beyond that it has no control over who can access what within that network.

In essence, treat a VPN as a way to simulate having that remote client directly plugged into an Ethernet port within your network.
 

kwood30

New Around Here
Is there no way of configuring the VPN or client file to only access the one server. Using the server IP address?
 

L&LD

Part of the Furniture
You can only do that by having the Server run the OpenVPN server and not your router.
 

eibgrad

Very Senior Member
I don't know if this is what you're looking for, but if you configure the OpenVPN server to assign specific IPs on the tunnel to specific OpenVPN clients, you could then uniquely identify those clients and create firewall rules that limit access to specific target resources.

For example, if the OpenVPN server is using 10.8.0.0/24, and a client has been assigned 10.8.0.2, and the remote network is 192.168.1.0/24, and that client should only have access to 192.168.1.100 …

Code:
iptables -I FORWARD -s 10.8.0.2 ! -d 192.168.1.100 -j REJECT

Assigning specific IPs on the tunnel requires using a CCD (client-config-dir) directive that points to a folder containing files based on the common-name of the cert used by the given client. Within those files you would specify the ifconfig-push directive to assign the preferred IP. But that assumes every client is being assigned its own unique certs and keys, which isn't the case by default. Alternatively, you can require username/passwords (which most ppl do anyway) and use the username-as-common-name directive, which tells OpenVPN server to use the username instead to distinguish clients.

P.S. I just realized you're using oem/stock firmware, which will probably make the above impossible to implement, particularly the firewall rules. But at least w/ the right router and firmware (e.g., Merlin), it is possible.
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top