What's new
By:

Site-to-site OVPN - block specific IP range on server side from reaching client side?

M

maxbraketorque

Very Senior Member
I have been using firewall-start to block a specific IP range on the server side of my site-to-site OVPN connections from reaching the client side. Is there a way to implement this directly in OVPN, either on the server side or client side configurations?
 
Can you post your current firewall-start rules so we can fully understand what you're asking for?
 
ColinTaylor said:
Can you post your current firewall-start rules so we can fully understand what you're asking for?
Click to expand...

This relates to the question I asked a few days about about using firewall-start on stock firmware. Asusmerlin no longer supports the AC68U, but Asus keeps cranking up updated stock firmwares for the AC68U. The only feature that I really use for Asusmerlin on my AC68U is firewall-start to block a specific range of IP addresses on the OVPN server side from reaching the client side. The firewall-start rule on the server side is:

iptables -I FORWARD -s 192.168.37.128/26 -d 192.168.38.0/24 -j DROP

37 is the server side (the AC68U), and 38 is the client side (another Asus router at a remote location). Can I accomplish the same thing using an OVPN configuration command?
 
Hmm, tricky with stock firmware.

I assume you've disable NAT on the VPN link? What does the routing table look like on the server side (System Log - Routing Table)?
 
Before we continue with trying to configure OVPN to accomplish this, can I accomplish the same thing by using firewall-start IP tables on the client side which is a GT-AX6000 running Asusmerlin?
 
maxbraketorque said:
Before we continue with trying to configure OVPN to accomplish this, can I accomplish the same thing by using firewall-start IP tables on the client side which is a GT-AX6000 running Asusmerlin?
Click to expand...
That's why I asked you about your NAT setup (I'm not familiar with Asus LAN to LAN configurations). If connections are being masqueraded behind the VPN server address the client won't know how to differentiate the incoming connections.

To be clear, you're wanting to block connections initiated from the server side, not connections initiated from the client side?
 
I tried unsuccessfully to post the Routing Table from the server side. I'll try again.

I can and do routinely interact with devices across the VPN connection by using their local IP address.

My primary desire is to prevent devices in a specific IP range on the server side from participating in any interaction with all devices on the client side. For Asusmerlin on the server side (AC68U), I use:

iptables -I FORWARD -s 192.168.37.128/26 -d 192.168.38.0/24 -j DROP

Can I use this same command on the client side (GT-AX6000)? Or maybe this:

iptables -I INPUT -s 192.168.37.128/26 -j DROP ??
 
You must log in or register to reply here.

Similar threads

I
Challenge with tunneling internet for WG site to site from the server side
Replies
8
Views
1K
ivannn
I
Chuckles67
OVPN Server TCP connection established from same IP address
Replies
1
Views
491
ColinTaylor
C
E
Accessing remote lan over site to site from a Openvpn client
Replies
4
Views
1K
elorimer
E
R
Site-to-Site wireguard VPN Server side cannot access to devices in client side
Replies
3
Views
1K
Jeffrey Young
J
M
OVPN HMAC authentication switching from SHA1 to SHA256
Replies
9
Views
2K
maxbraketorque
M
Similar threads
Thread starter Title Forum Replies Date
M All of a sudden some sites and some images on that site does not load images. Frontier Fiber with Merlin latest firmware AC-68U Asuswrt-Merlin 5
T Merlin firmware gui demo site? Asuswrt-Merlin 4
E Accessing remote lan over site to site from a Openvpn client Asuswrt-Merlin 4
B Please Help - OpenVPN Site-to-Site and Remote Access Setup – One Client, Two Servers (Asus RT-AC68U, Merlin 386.14_2) Asuswrt-Merlin 0
I Challenge with tunneling internet for WG site to site from the server side Asuswrt-Merlin 8
octopus Remove items in ovpn file Asuswrt-Merlin 8
B RT-BE86U OpenVPN - cannot download ovpn file Asuswrt-Merlin 1
P ExpressVPN - Construct .ovpn config file for Dedicated IP Address Asuswrt-Merlin 13
Zakalwe Disallow OVPN clients on asuswrt-merlin from accessing ANY LAN devices, but allow WAN? Asuswrt-Merlin 3
Chuckles67 OVPN Server TCP connection established from same IP address Asuswrt-Merlin 1

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,849 (members: 7, guests: 1,842)
Back
Top