What's new

OPENVPN SERVER-LAN ONLY OPTION- WORKING AS INTENDED

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

joe scian

Very Senior Member
Hi Merlin

Might have found an issue using LAN ONLY option in openvpn server. When I select this option - not only can I access LAN but I also have access to Internet from a remote location. Can this be reproduced your end too? BTW using Unbound as a recursive resolver but choice of DNS shouldnt matter.
 
Hi Merlin

Might have found an issue using LAN ONLY option in openvpn server. When I select this option - not only can I access LAN but I also have access to Internet from a remote location. Can this be reproduced your end too? BTW using Unbound as a recursive resolver but choice of DNS shouldnt matter.
Are you sure the access to the internet is through the router? The LAN option only pushes the route to the LAN but does not change the default gateway, so if you go to a site that isn't on the LAN it will go outside the tunnel.
 
To add to elorimer’s suugestion, what do you get when you go to whatsmyip.org? Your home router’s public IP address, or that of the network your client device is on?
 
To add to elorimer’s suugestion, what do you get when you go to whatsmyip.org? Your home router’s public IP address, or that of the network your client device is on?

That is indeed interesting - I get the public IP address of the network my client device is on. Therefore this is the default gateway and hence i get internet access. So therefore is this operation behaving as designed. I thought that LAN ONLY when connected to an OPENVPN Server means that I should only be able to connect to LAN resources on my home network and NOT have access to Internet - in other words the Internet on Home network would effectivelly be firewalled and ALL data is via VPN tunnel. Similar to way Internet only works- ie Internet available via tunnel but Home LAN effectivelly firewalled.
 
Last edited:
That is indeed interesting - I get the public IP address of the network my client device is on. Therefore this is the default gateway and hence i get internet access. So therefore is this operation behaving as designed.
Yes. It's sometimes called "split tunnelling".
I thought that LAN ONLY when connected to an OPENVPN Server means that I should only be able to connect to LAN resources on my home network and NOT have access to Internet
No. The option is called "Client will use VPN to access...". That doesn't necessarily mean that non-VPN connections are restricted.
 
Last edited:
Yes. It's sometimes called "split tunnelling".
No. The option is called "Client will use VPN to access...". That doesn't necessarily mean that non-VPN connections are restricted.

so I assume if one wished to restrict Internet connection when LAN ONLY is chosen you would need to invoke a firewall rule using IPtables.
 
so I assume if one wished to restrict Internet connection when LAN ONLY is chosen you would need to invoke a firewall rule using IPtables.
I think you would still need to choose "Both" (Internet and local network) so that the server tells the client to change its routing so everything is going to the VPN server. You would then need to change the firewall rules on the server side to block access to the internet for the client. You might be able to block it by creative use of the server's "Custom Configuration" options instead.

Alternatively, have a look at the VPN client configuration. There might be some option that disables split tunnelling.

Given that the client device in normal operation has access to the internet why would you want to block it only when the VPN is active?
 
I fully understand split tunnelling now as used in Merlin firmware. Thank you for the education. Much appreciated
 
Given that the client device in normal operation has access to the internet why would you want to block it only when the VPN is active?
I suppose if the client was another router, and you wanted computers on its lan to have access to devices on the server lan, but not the internet. Not particularly likely.
 
I suppose if the client was another router, and you wanted computers on its lan to have access to devices on the server lan, but not the internet. Not particularly likely.
There are indeed times when you'd want to block the client from having any internet access. For example (as you said) connecting two offices with a LAN to LAN, or a "locked down" work laptop for teleworking. But these are very specific scenarios and in such cases when the client wasn't connected to the VPN the internet access would be blocked on the client's side. That's not the case here, the client has full access to the internet when the VPN is turned off, so it seems rather pointless trying to block it via the VPN server.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top