OpenVPN Server set to LAN only allows browsing

[Weblee2407]

My OpenVPN servers on two different GTAX6000 are both allowing internet access when configured for LAN only. Toggled the values back and forth but no change. These VPNs are for my admin access only and in the past if I forgot and tried to google something it would be clear-no internet access. Is that setting/value saved in a file or nvram value? This happens on both iPhone and windows laptop. I guess my first step is to restore 1 rev using backupmon. Is anyone seeing the same behaviour??

 

[Tech9]

Check who's your ISP when connected to the VPN server. I remember in "LAN only" my phone was getting Internet from the mobile operator while having access to the remote LAN at the same time. Perhaps what you see is exactly the expected behavior. I don't remember what the router was running, Asuswrt or Asuswrt-Merlin.

What is my ISP — Find your Internet Service Provider

Find your Internet Service Provider (ISP) with this online ISP lookup tool. Also check your hostname, IP address and IP location.

www.whatismyisp.com

 

[ColinTaylor]

"LAN only" doesn't mean your client can't access the internet. It means that it accesses the internet via it's normal route rather than through the VPN connection.

 

[elorimer]

Use tracert or tracepath to see where your internet traffic goes.

 

[Weblee2407]

this title and the 3 choices (along with how it worked before) imply LAN only means no getting out the local gateway to the internet
1st scratched line is the address of MY router and not the router I am VPN'ed into. So its still going out my gate and not thru the tunnel. I have a different issue here from what I thought. Why isn't all traffic going thru the tunnel?

 

[ColinTaylor]

this title and the 3 choices (along with how it worked before) imply LAN only means no getting out the local gateway to the internet

It doesn't read that way to me and it's never worked like that in the past in my experience. If your experience was different then it was a bug that's since been corrected.

I have a different issue here from what I thought. Why isn't all traffic going thru the tunnel?

If you want all traffic from the client going through the tunnel you need to set the server option to "Both". Bear in mind that if you're using VPN Director on the client side that will take precedence.

 

[Weblee2407]

I want only my administrative access to the web interface of the router on the other side. I do not want to pass traffic THRU the other side using the destination routers gate. Furthermore, I also can't see how a bug got fixed. I do see an OpenVPN article that mentions this IPTables command.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Maybe something in Skynet changed?


I'm going to have to undo and redo a lot to see what happened here. This may be OpenVPN's default action, but I can tell you it was not as far as Merlin as I have had it configured.

to clarify - I want all traffic to go over the vpn and if the receiving router is set to LAN only I want attempts to get to the web to fail

 

[Tech9]

This may be OpenVPN's default action, but I can tell you it was not as far as Merlin as I have had it configured.

It was a bug then. This is not the expected behavior.

 

[elorimer]

LAN only: the server pushes a route to the server's LAN to the client, so the client can reach devices on the LAN.
Internet only: the server pushes a new default gateway to the client, so internet traffic goes through the VPN and out the server's default gateway. With no route, the client can't reach devices on the LAN.
Both: does, um, both.

With LAN only, openvpn doesn't change the default gateway when a connection is made. The client accesses the internet through its own default gateway, resulting in split-tunneling. It has always been like this, the memory of man runneth not to the contrary.

I suppose if you only want to reach the server's GUI, you could edit the client configuration to insert a pull-filter ignore instruction to ignore the route.

 

[Weblee2407]

yeah I found an OpenVPN support article that confirms what you describe . So what is the command: pull filter ignore?

 

[ColinTaylor]

So what is the command: pull filter ignore?

Reference Manual For OpenVPN 2.4 | OpenVPN

Because OpenVPN tries to be a universal VPN tool offering a great deal of flexibility, there are a lot of options on this reference page for OpenVPN 2.4

openvpn.net

--pull-filter accept|ignore|reject text
Filter options received from the server if the option starts with text. Runs on client. The action flag accept allows the option, ignore removes it and reject flags an error and triggers a SIGUSR1 restart. The filters may be specified multiple times, and each filter is applied in the order it is specified. The filtering of each option stops as soon as a match is found. Unmatched options are accepted by default.Prefix comparison is used to match text against the received option so that
--pull-filter ignore "route"
would remove all pushed options starting with route which would include, for example, route-gateway. Enclose text in quotes to embed spaces.
--pull-filter accept "route 192.168.1."
--pull-filter ignore "route "
would remove all routes that do not start with 192.168.1.

This option may be used only on clients. Note that reject may result in a repeated cycle of failure and reconnect, unless multiple remotes are specified and connection to the next remote succeeds. To silently ignore an option pushed by the server, use ignore.

 

[Weblee2407]

Man it bothers me I will never know how I got those connections to work with everything going out the tunnel and living on a cul de sac on the remote side. A deadending tracert had been part of my verification.

 

[ColinTaylor]

Man it bothers me I will never know how I got those connections to work with everything going out the tunnel and living on a cul de sac on the remote side. A deadending tracert had been part of my verification.

Perhaps you used a command similar to the one in post #7, except using -j REJECT instead of -j MASQUERADE. This is assuming the other parameters are correct for your setup. Or maybe there's a similar function in Skynet, I wouldn't know as I don't use that.

EDIT: You'd also have to use -I instead of -A.

 

[Justinh]

If the LAN/Internet/Both option is changed, does the config file have to be exported again, or can this setting be changed arbitrarily and the client connection will honor it?

 

[ColinTaylor]

If the LAN/Internet/Both option is changed, does the config file have to be exported again,

I believe not as the only thing that's really changed is the route being pushed to the client.