What's new

OpenVPN - Access to LAN Only

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

voyto

Occasional Visitor
Hi All :)

At work we're using a BT BusinessHub as our main router. Previously we used an AC86U but now we have BT's 4G Assure failover, which is essential for our SIP phones we've had to revert back.

Our LAN address is 192.168.48.0

I currently have the AC86U sitting on it's own network of 192.168.49.0 as a VPN Server & Guest Access WiFi AP. All works great, other than when I try to restrict VPN clients to use the VPN for LAN access only. Before 4G assure, the AC86U was also the main router and just toggling the "Client will use VPN to access" to LAN only did the trick. This toggle now doesn't work as it's on it's own network, so has to be set to "Both" to allow clients to access the 48.0 LAN.

Does anyone know how I can get around this issue server side? I wondered if there was a custom configuration I could input?

Attached are screenshots of our current config.

Many thanks!
 

Attachments

  • 2020-11-04 10_27_40-sales-dt-06@ad - AnyDesk.png
    2020-11-04 10_27_40-sales-dt-06@ad - AnyDesk.png
    45.3 KB · Views: 324
  • 2020-11-04 10_27_56-sales-dt-06@ad - AnyDesk.png
    2020-11-04 10_27_56-sales-dt-06@ad - AnyDesk.png
    414.5 KB · Views: 287
Can you clarify what you mean by "restrict VPN clients to use the VPN for LAN access only". What I think you mean is that you want to restrict VPN clients to both LANs (192.168.48.0 and 192.168.49.0). In other words you want to block internet access.

Presumably any WiFi guests would also have this problem? Have you tested this?
 
Last edited:
The 49.0 network has nothing on - i just had to put the Asus router on another network for it to work correctly (DHCP issues when it was on the same network)

Not tried with WiFi guests, as they're all isolated anyway using that feature in Merlins firmware under Guest WiFi.
 
Can you clarify the points I made in my previous post as there are ambiguities in what you're saying. What exactly is the purpose of the guest WiFi?
 
Customers visiting our office (not so much at the moment) or staff for their personal use (no need to access our internal network with these devices)
 
OK. So all clients (VPN, WiFi and Ethernet) connected to the AC86U should have internet access only.

EDIT: I don't see the point of restricting VPN clients to "internet only". Surely a remote VPN user just wouldn't connect to the VPN server at all? :confused:

It's worth pointing out that as far as the AC86U is concerned "the LAN" or "the intranet" is the 192.168.49.0 network only. Everything else upstream, including the 192.168.48.0 network, is "the internet" from its perspective. It's important to realise that because your "guest" WiFi network is not isolated from the 192.168.48.0 network, only the 192.168.49.0 network.

Try using the Network Services Filter on the AC86U to block all access to the 192.168.48.0 network. I don't know whether that will work. It depends on which router functions have priority over others. Create a test scenario with your current setup to verify you do have access, then after your changes perform the test again to see if it's now blocked.

I don't know anything about the BT BusinessHub but maybe that has some function that can be used instead.
 
I think I'm perhaps doing a poor job of explaining our scenario.

The Asus Router is now just a glorified VPN Server, plugged into our 48.0 network, but configured on it's own 49.0 network. I only did this as I couldn't get it to work when it sat on the same network - my assumption was that because the BTBH was the DHCP server, it was struggling to give an address with DHCP off on the Asus. My solution was to put it on it's own 49.0 network and enable the DHCP server. for the most part, this has worked perfectly.

Because the Merlin/Asus firmware has the Guest WiFi option, with advanced features for speed limiting, I've also used it to perform this task too.

If I connect wired to the Asus router - i can access the 48.0 network fine. My device gets a 49.0 address from the Asus DHCP server.

The only adjustment I'm looking to make, is to stop the VPN users have their normal internet traffic route through the VPN. The only traffic I want to go over their VPN is that intended for the 48.0 (and 49.0 if it's easier) network. Maybe it can be done easier client side??
 
This is just a guess because I can't test this...

I think you need to set "Client will use VPN to access" to "LAN only".

Then in the Custom configuration put:
Code:
push "route 192.168.48.0 255.255.255.0"
There might also be other changes to the routing or firewall but I can't guess what they are. Maybe another forum member can help with that.
 
This is just a guess because I can't test this...

I think you need to set "Client will use VPN to access" to "LAN only".

Then in the Custom configuration put:
Code:
push "route 192.168.48.0 255.255.255.0"
There might also be other changes to the routing or firewall but I can't guess what they are. Maybe another forum member can help with that.

Didn't work unfortunately. Still only able to ping the interface of the VPN router. Unable to ping anything on the 48.0 network.
 
Three separate issues here.

First, I assume you have some forwarding in place so VPN clients can connect through the BT Business Hub to reach the Asus on whatever .48.xx address you've given it.

Second, you don't have any devices you want the VPN clients to reach on the .49.xx net, so it doesn't matter if you have the server set to internet only or both. But you don't want LAN only. Internet only or both will push a default gateway of your 49.1 address for the Asus router. If a client asks to reach a .48.x address, the request will go to the 10.8.0.x address of the VPN Server, to the 49.1 address of the Asus router; it will forward that request up a level to its .48.x address and that network, and it will go to the right address.

Third, wireless clients on the Guest network won't have any access to the .49.xx network (nothing there anyway), but they should have full access to the .48.xx network, because as Colin said, that is the internet as far as the Asus router is concerned. This I think is your original question, and I don't know how you might have the Server clients full access to the .48 network and the Guest Wifi clients no access; Perhaps this is a think YazFi could do.
 
Internet only or both will push a default gateway of your 49.1 address for the Asus router.
I believe this is what he doesn't want to happen (leaving "LAN only" as the only option). He wants split tunnelling on the client side. i.e. The client can access the 2 LANs through the VPN connection whilst still being able to access the internet via its normal WAN connection.
The only adjustment I'm looking to make, is to stop the VPN users have their normal internet traffic route through the VPN. The only traffic I want to go over their VPN is that intended for the 48.0 (and 49.0 if it's easier) network.

Maybe my assumption is wrong.
 
Last edited:
Didn't work unfortunately. Still only able to ping the interface of the VPN router. Unable to ping anything on the 48.0 network.

@ColinTaylor was on the right track. You need to push the other network (192.168.48.x). But you also need to make an exception in the firewall to allow access to that network over the WAN. Normally the WAN is blocked when LAN only is specified, so you need to explicitly allow it for clients of the VPN.

Code:
iptables -I FORWARD -i tun21 -d 192.168.48.0/24 -j ACCEPT
 
I believe this is what he doesn't want to happen (leaving "LAN only" as the only option). He wants split tunnelling on the client side. i.e. The client can access the 2 LANs through the VPN connection whilst still being able to access the internet via its normal WAN connection.

I see your point now. So I wonder if it would work to specify both, but then disregard the change in the default gateway on the client side with
Code:
 pull-filter ignore redirect-gateway
. Would that handle the firewall issue?
 
Entirely apart from this, has the OP tried putting the BT Hub in a bridge mode? Would the 4G assure still do its thing, but all of the other issues go away?
 
@ColinTaylor was on the right track. You need to push the other network (192.168.48.x). But you also need to make an exception in the firewall to allow access to that network over the WAN. Normally the WAN is blocked when LAN only is specified, so you need to explicitly allow it for clients of the VPN.

Code:
iptables -I FORWARD -i tun21 -d 192.168.48.0/24 -j ACCEPT

Thank you for the help! Adding this to the configuration gives the following error....

OpenVPN server daemon failed to start.
Please check your device environment or contents on the Advanced Setting page.

System Log Output...

Nov 5 13:15:52 rc_service: httpds 814:notify_rc restart_chpass;restart_vpnserver1
Nov 5 13:15:52 kernel: device tun21 entered promiscuous mode
Nov 5 13:15:52 ovpn-server1[25379]: Options error: Unrecognized option or missing or extra parameter(s) in config.ovpn:27: iptables (2.4.7)
Nov 5 13:15:52 ovpn-server1[25379]: Use --help for more information.
Nov 5 13:15:52 init: VPN_LOG_ERROR: 1392: Starting VPN instance failed...
 
Entirely apart from this, has the OP tried putting the BT Hub in a bridge mode? Would the 4G assure still do its thing, but all of the other issues go away?

This isn't possible unfortunately. It was the first thing I wanted to do when told I'd have to revert back to the BT kit.

Am I maybe over-complicating things by having this on a separate network? Should it be possible to have it sit on the same network while not handling DHCP itself?
 
Thank you for the help! Adding this to the configuration gives the following error....
That's because you've put it into the Custom configuration which is the wrong place. It is a system command that needs to be put into a user script, probably firewall-start.
 
Thank you for the help! Adding this to the configuration gives the following error....

OpenVPN server daemon failed to start.
Please check your device environment or contents on the Advanced Setting page.

System Log Output...

Nov 5 13:15:52 rc_service: httpds 814:notify_rc restart_chpass;restart_vpnserver1
Nov 5 13:15:52 kernel: device tun21 entered promiscuous mode
Nov 5 13:15:52 ovpn-server1[25379]: Options error: Unrecognized option or missing or extra parameter(s) in config.ovpn:27: iptables (2.4.7)
Nov 5 13:15:52 ovpn-server1[25379]: Use --help for more information.
Nov 5 13:15:52 init: VPN_LOG_ERROR: 1392: Starting VPN instance failed...
iptables must be executed from a script, not defined as a parameter in the OpenVPN Server Custom Configuration GUI.

Firmwares newer than v384.xx use a dedicated OpenVPN iptables chain OVPN

e.g. OpenVPN Server 1 (tun21) GUI Client will use VPN to access=LAN only, and OpenVPN Server 2 (tun22) GUI 'Client will use VPN to access=Both'

i.e. Use the following command to display current OpenVPN firewall rules

Code:
iptables --line -t filter -nvL OVPN

Chain OVPN (2 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0         
2        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            192.168.1.0/24
To ensure that your downstream subnet is added automatically when the OpenVPN server initialises, you could create/modify scripts '/jffs/scripts/openvpn-event' (see template) and '/jffs/scripts/vpnserver1-route-up' to modify the OVPN chain

e.g.
Code:
#!/bin/sh
# Access down-stream subnet(s) attached to LAN (br0)
iptables -D OVPN -d 192.168.48.0/24 -i $dev -j ACCEPT
iptables -I OVPN -d 192.168.48.0/24 -i $dev -j ACCEPT
 
ASUSWRT-Merlin RT-AC86U 384.12-0 Fri Jun 21 21:25:52 UTC 2019
admin@RT-AC86U:/tmp/home/root# iptables --line -t filter -nvL OVPN
Chain OVPN (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- tun21 * 0.0.0.0/0 192.168.48.0/24
2 0 0 ACCEPT all -- tun21 * 0.0.0.0/0 0.0.0.0/0

iptables must be executed from a script, not defined as a parameter in the OpenVPN Server Custom Configuration GUI.

Firmwares newer than v384.xx use a dedicated OpenVPN iptables chain OVPN

e.g. OpenVPN Server 1 (tun21) GUI Client will use VPN to access=LAN only, and OpenVPN Server 2 (tun22) GUI 'Client will use VPN to access=Both'

i.e. Use the following command to display current OpenVPN firewall rules

Code:
iptables --line -t filter -nvL OVPN

Chain OVPN (2 references)
num   pkts bytes target     prot opt in     out     source               destination      
1        0     0 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0        
2        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            192.168.1.0/24
To ensure that your downstream subnet is added automatically when the OpenVPN server initialises, you could create/modify scripts '/jffs/scripts/openvpn-event' (see template) and '/jffs/scripts/vpnserver1-route-up' to modify the OVPN chain

e.g.
Code:
#!/bin/sh
# Access down-stream subnet(s) attached to LAN (br0)
iptables -D OVPN -d 192.168.48.0/24 -i $dev -j ACCEPT
iptables -I OVPN -d 192.168.48.0/24 -i $dev -j ACCEPT

Really appreciate the time you're giving to help me with this. Here's my results from this....

2 files created in /jffs/scripts, both with the code you gave.
Code:
admin@RT-AC86U:/jffs/scripts# ls
openvpn-event        vpnserver1-route-up

iptables output

Code:
ASUSWRT-Merlin RT-AC86U 384.12-0 Fri Jun 21 21:25:52 UTC 2019
admin@RT-AC86U:/tmp/home/root# iptables --line -t filter -nvL OVPN
Chain OVPN (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            192.168.48.0/24
2        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0

OpenVPN starts successfully - VPN user still unable to ping anything on the 48.x network.

Apologies in advance if I'm being one of those people that make you want to bang your head against the wall!
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top