Site to Site VPN - how to restrict access for specific devices?

[Yiannis]

I have setup a site to site VPN network between two homes using this guide . All work fine until I realised that my Apple TV becomes the homekit hub on the remote home and vice versa. I would like to restrict specific IP addresses from using the VPN either on the server side or on the client side.

How could I do that ?

 

[L&LD]

What router do you have? What firmware? What is your network(s) topologies?

 

[Yiannis]

Many thanks for your response.
I have two homes and in each home I have installed an Asus RT-AC68U running latest stable firmware of RMerlin (384.19). In each Asus router the WAN side is connected to an ADSL modem and the router does the PPPoE connection to get access to the Internet. The LAN subnets are different in each home.

Location A: 192.168.177.0/24 (Router: 192.168.177.1 configured as VPN client)
Location B: 192.168.179.0/24 (Router: 192.168.179.1 configured as VPN server)

At some point I needed to be able to connect from one network to another. After a lot of searching, I found this guide and by following it I was able to setup site to site VPN. The setup works nicely, meaning every device on Location A is reachable in Location B and vice versa.

Now, after further using the above setup I have some side effects. It turns out, If I allow Apple TV devices to be able to use the VPN, they mess up with my homekit setup on the other location and I am looking for a way to somehow restrict specific devices/Lan IPs from using the VPN interface.

Many Thanks

 

[eibgrad]

Since this is a site-to-site setup, the Apple TV would only use the VPN if the destination IP it's interested in exists across the VPN. So to the extent this is a problem for you, is this a problem for the router, or (as it seems to me) the fact the Apple TV is attempting to access a device that's NOT on its own network? And if it's the latter, why would that be the case? Normally streaming devices are confined to their own local network. How does the sudden presence of the VPN change anything wrt how the Apple TV is functioning? That's the part I don't understand.

I just have a feeling there's more to this configuration then what's been revealed so far.

 

[Yiannis]

I 'll try to explain to the best of my powers what's wrong. This is a very strange situation. The site to site vpn works as expected. No complaints there. I just need to fine tune it due to my special circumstances.

If you are not familiar with Apple's ecosystem in regards to smart home, Apple TV can work as a homekit hub. That means, it speaks with compatible smart devices in local network, passes the status of these devices to my rest iOS devices and controls these smart devices when my iOS device is not present in LAN.

Homekit hubs may be either in primary or stand by mode. Someone may have multiple Apple TVs, Homepods, iPads at home. All of these can operate as hubs for the smart home, but only one can be the active and the rest will be on stand by mode.

Returning back to my case, it looks my Apple TV of Location-A has found through the site-to-site VPN that another homekit hub exists in Location-B. In that respect, both Apple TVs are now set us as hubs for both Smart Homes.

This situation leads to all kind of problems. For example, Apple TV physically located in Location-A went into standby status and the Apple TV of Location-B took over as a primary hub for Location-A. If both hubs where under the same WAN, I think there shouldn't be any issues, but they are not and when that switch happens, I cannot control my devices.

I can avoid all this, if I could simply restrict some IPs from exchanging packets with the VPNs...

Sorry for my long message.

 

[eibgrad]

Thanks for the explanation. Like many others, I have no clue about Apple-specific behaviors involving their products, so I can only speak about networking broadly.

Normally, within a given ethernet segment, devices find each other using a variety of network discovery broadcast protocols (e.g., SSDP, Bonjour). But such broadcasts do NOT normally cross ethernet boundaries. And when using OpenVPN in a routed (tun) (vs. bridged (tap)) configuration (which I assume is the case here), broadcasts will NOT cross over the VPN.

So I still don't understand how one side of the VPN could be affecting the other side of the VPN, at least if we assume such communication is based on network discovery protocols. But if there's some *other* form of communications happening at the *routing/IP* level, that might explain it. And given it's Apple, I suppose anything is possible. But it's hard to give good advice when we can't even explain how this communication is taking place.

 

[Yiannis]

When I took the vpn connection off and restarted everything, everything went back to normal. I don't want to go into detail on why/how apple TV acts like that, because as mentioned before, everything is possible with Apple.

From my perspective, the most common solution to the above issue would be to block specific IPs (the ones assigned to Apple TV devices) from accessing the VPN interface. I believe it's possible, but I don't know how to do it.

 

[eibgrad]

Well I suppose you can always just add firewalls rules limiting access by specific devices.

On the client …

iptables -I FORWARD -s 192.168.177.100 -d 192.168.179.200 -j REJECT

One the server …

iptables -I FORWARD -s 192.168.179.110 -d 192.168.177.210 -j REJECT

 

[Yiannis]

@eibgrad many thanks! The command works as expected!

I created a script and scheduled it to run at every reboot.

 

[eibgrad]

@eibgrad many thanks! The command works as expected!

I created a script and scheduled it to run at every reboot.

Good to hear. Thanks for getting back. Always nice to know if things worked out.