OpenVPN - disable Push LAN to Clients, but route to one IP isn't working

[604ww]

Hello everyone.

I'm setting up OpenVPN for the first time on my RT-AC67U(I believe it's a repackaged AC68U) using the stock firmware. By default, all works well and the client can connect and I can ping all the devices on the network from the client computer.

But that's the issue. I only want the client to access 1 IP on the network, and be blocked off from the rest.

I've disabled Push LAN to clients which cut off the access to the LAN network, which is good. But how do I enable a route so that the vpn client can access the specific 1 LAN IP and only that IP?

I tried creating a route under LAN--> Route

Network/Host IP: 10.8.0.0 (VPN IP network given to the client)
Netmask: 255.255.255.0
Gateway: used the dropdown to the device I want the vpn client to have access to
Metric: <not sure what to put here>
Interface: LAN

Despite having this and Push LAN to clients disabled, I can't ping the LAN IP I want.

Does anyone know what I'm missing? Or do I need to upgrade the firmware to Merlin before I can do this? Because I've seen some screenshots on routes for the VPN tunnel but I don't seem to have it in the stock firmware.

Thank in advance!

 

[eibgrad]

This is NOT a routing issue. It's a firewall issue. I'm not sure how much capability you have to manipulate the firewall using the OEM/stock firmware, but if you do, you would need to add a firewall rule that limits access to the one LAN IP, while still pushing the LAN (as a route) to the OpenVPN clients.

iptables -I FORWARD -s 10.8.0.0/24 ! -d 192.168.1.100 -j REJECT

IOW, for any OpenVPN client on the 10.8.0.0/24 network, the only accessible device is 192.168.1.100. Of course, this eliminates internet access as well (not sure if that is or isn't an issue).

 

[604ww]

This is NOT a routing issue. It's a firewall issue. I'm not sure how much capability you have to manipulate the firewall using the OEM/stock firmware, but if you do, you would need to add a firewall rule that limits access to the one LAN IP, while still pushing the LAN (as a route) to the OpenVPN clients.

iptables -I FORWARD -s 10.8.0.0/24 ! -d 192.168.1.100 -j REJECT

IOW, for any OpenVPN client on the 10.8.0.0/24 network, the only accessible device is 192.168.1.100. Of course, this eliminates internet access as well (not sure if that is or isn't an issue).

Hi Eibgrad

Thanks for the reply.

hm.. that might not work then I guess. The purpose to set up this vpn is to be able to remote in and access the web gui of the device via IP, but only this device and restrict accessing the rest of the network. but the remote device would still require internet access.

 

[eibgrad]

If you still want internet access, just change the firewall rules slightly.

iptables -I FORWARD -s 10.8.0.0/24 -d 192.168.1.0/24 -j REJECT
iptables -I FORWARD -s 10.8.0.0/24 -d 192.168.1.100 -j ACCEPT

 

[604ww]

If you still want internet access, just change the firewall rules slightly.

iptables -I FORWARD -s 10.8.0.0/24 -d 192.168.1.0/24 -j REJECT
iptables -I FORWARD -s 10.8.0.0/24 -d 192.168.1.100 -j ACCEPT

got it, will give it a shot.

Thanks!