What's new

OpenVPN Server set to LAN only allows browsing

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Weblee2407

Regular Contributor
My OpenVPN servers on two different GTAX6000 are both allowing internet access when configured for LAN only. Toggled the values back and forth but no change. These VPNs are for my admin access only and in the past if I forgot and tried to google something it would be clear-no internet access. Is that setting/value saved in a file or nvram value? This happens on both iPhone and windows laptop. I guess my first step is to restore 1 rev using backupmon. Is anyone seeing the same behaviour??
 
Check who's your ISP when connected to the VPN server. I remember in "LAN only" my phone was getting Internet from the mobile operator while having access to the remote LAN at the same time. Perhaps what you see is exactly the expected behavior. I don't remember what the router was running, Asuswrt or Asuswrt-Merlin.

 
"LAN only" doesn't mean your client can't access the internet. It means that it accesses the internet via it's normal route rather than through the VPN connection.
 
Use tracert or tracepath to see where your internet traffic goes.
 
1708453313181.png


this title and the 3 choices (along with how it worked before) imply LAN only means no getting out the local gateway to the internet
1st scratched line is the address of MY router and not the router I am VPN'ed into. So its still going out my gate and not thru the tunnel. I have a different issue here from what I thought. Why isn't all traffic going thru the tunnel?
 

Attachments

  • OVPNInternetOnlyNotWorking.PNG
    OVPNInternetOnlyNotWorking.PNG
    219.8 KB · Views: 16
this title and the 3 choices (along with how it worked before) imply LAN only means no getting out the local gateway to the internet
It doesn't read that way to me and it's never worked like that in the past in my experience. If your experience was different then it was a bug that's since been corrected.

I have a different issue here from what I thought. Why isn't all traffic going thru the tunnel?
If you want all traffic from the client going through the tunnel you need to set the server option to "Both". Bear in mind that if you're using VPN Director on the client side that will take precedence.
 
I want only my administrative access to the web interface of the router on the other side. I do not want to pass traffic THRU the other side using the destination routers gate. Furthermore, I also can't see how a bug got fixed. I do see an OpenVPN article that mentions this IPTables command.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Maybe something in Skynet changed?


I'm going to have to undo and redo a lot to see what happened here. This may be OpenVPN's default action, but I can tell you it was not as far as Merlin as I have had it configured.

to clarify - I want all traffic to go over the vpn and if the receiving router is set to LAN only I want attempts to get to the web to fail
 
LAN only: the server pushes a route to the server's LAN to the client, so the client can reach devices on the LAN.
Internet only: the server pushes a new default gateway to the client, so internet traffic goes through the VPN and out the server's default gateway. With no route, the client can't reach devices on the LAN.
Both: does, um, both.

With LAN only, openvpn doesn't change the default gateway when a connection is made. The client accesses the internet through its own default gateway, resulting in split-tunneling. It has always been like this, the memory of man runneth not to the contrary.

I suppose if you only want to reach the server's GUI, you could edit the client configuration to insert a pull-filter ignore instruction to ignore the route.
 
Last edited:
yeah I found an OpenVPN support article that confirms what you describe . So what is the command: pull filter ignore?
 
So what is the command: pull filter ignore?
--pull-filter accept|ignore|reject text
Filter options received from the server if the option starts with text. Runs on client. The action flag accept allows the option, ignore removes it and reject flags an error and triggers a SIGUSR1 restart. The filters may be specified multiple times, and each filter is applied in the order it is specified. The filtering of each option stops as soon as a match is found. Unmatched options are accepted by default.Prefix comparison is used to match text against the received option so that
--pull-filter ignore "route"
would remove all pushed options starting with route which would include, for example, route-gateway. Enclose text in quotes to embed spaces.
--pull-filter accept "route 192.168.1."
--pull-filter ignore "route "

would remove all routes that do not start with 192.168.1.

This option may be used only on clients. Note that reject may result in a repeated cycle of failure and reconnect, unless multiple remotes are specified and connection to the next remote succeeds. To silently ignore an option pushed by the server, use ignore.
 
Man it bothers me I will never know how I got those connections to work with everything going out the tunnel and living on a cul de sac on the remote side. A deadending tracert had been part of my verification.
 
Man it bothers me I will never know how I got those connections to work with everything going out the tunnel and living on a cul de sac on the remote side. A deadending tracert had been part of my verification.
Perhaps you used a command similar to the one in post #7, except using -j REJECT instead of -j MASQUERADE. This is assuming the other parameters are correct for your setup. Or maybe there's a similar function in Skynet, I wouldn't know as I don't use that.

EDIT: You'd also have to use -I instead of -A.
 
Last edited:
If the LAN/Internet/Both option is changed, does the config file have to be exported again, or can this setting be changed arbitrarily and the client connection will honor it?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top