OpenVPN Server with LAN Only?

[chazstick]

Hi all,

I've been trying to figure this out but getting no where. Is there anyway to make the OpenVPN server give LAN only access to clients (in this case Android phone)? ie. No internet access, just access to locally connected devices/servers. Is this possible at all?

 

[martinr]

Yes, indeed. You must have inadvertently selected, in the Advanced Settings for the server, Direct clients to redirect internet ttaffic. So, select No fir that setting and hit the Apply button.

From https://www.snbforums.com/threads/h...with-asus-routers-380-67-updated-08-07.33638/

"Direct clients to redirect internet traffic: If this feature is enabled all traffic will go via the router and depending on your bandwidth speeds it can be very slow on the clients receiving end.

Ideally the majority of users should keep the Redirect Internet Traffic option disabled. It means the remote client will still use his own WAN access for all Internet traffic, and only use the VPN tunnel when trying to access a resource in the home LAN network. This is what VPNs were originally designed to do."

PS. Welcome to the forum.

 

[chazstick]

Yes, indeed. You must have inadvertently selected, in the Advanced Settings for the server, Direct clients to redirect internet ttaffic. So, select No fir that setting and hit the Apply button.

From https://www.snbforums.com/threads/h...with-asus-routers-380-67-updated-08-07.33638/

"Direct clients to redirect internet traffic: If this feature is enabled all traffic will go via the router and depending on your bandwidth speeds it can be very slow on the clients receiving end.

Ideally the majority of users should keep the Redirect Internet Traffic option disabled. It means the remote client will still use his own WAN access for all Internet traffic, and only use the VPN tunnel when trying to access a resource in the home LAN network. This is what VPNs were originally designed to do."

PS. Welcome to the forum.

Thanks Martinr for your response! However that's not quite what I'm looking for as this option still allows internet access on the clients. What I want is to disallow internet connection for all clients. Only allowing LAN access with all internet access blocked completely.

 

[martinr]

Correct me if I'm still being dim: what you want is that when the remote clients are connected to your OpenVPN server, those remote clients must not be able to connect to the Internet by any means, neither through the VPN nor through the remote network they are on.

Is that right?

 

[chazstick]

Yes that is correct. They should only be able to access LAN devices. Is this possible?

Correct me if I'm still being dim: what you want is that when the remote clients are connected to your OpenVPN server, those remote clients must not be able to connect to the Internet by any means, neither through the VPN nor through the remote network they are on.

Is that right?

 

[martinr]

At first I thought it wouldn't be possible, but then I had an idea: suppose you DID set to Yes the setting Direct clients to redirect Internet traffic, thereby forcing all your clients' Internet traffic to come through to your router (when they are connected to the VPN server), but then suppose you had a firewall rule to drop any outgoing, Internet-bound traffic from your VPN subnet 10.0.8.0/24 (or whatever it is).

Would that work? If so, you'll need someone of the likes of Colin Taylor to tell you the firewall-start rule you'd need.

 

[chazstick]

Yes something like this might work? How would I do that exactly? Who is Colin Taylor?

At first I thought it wouldn't be possible, but then I had an idea: suppose you DID set to Yes the setting Direct clients to redirect Internet traffic, thereby forcing all your clients' Internet traffic to come through to your router (when they are connected to the VPN server), but then suppose you had a firewall rule to drop any outgoing, Internet-bound traffic from your VPN subnet 10.0.8.0/24 (or whatever it is).

Would that work? If so, you'll need someone of the likes of Colin Taylor to tell you the firewall-start rule you'd need.

 

[martinr]

Colin's a regular, Part-of-the-Furniture contributor who's very knowledgable on firewall rules. That said, there are many other similarly clever contributors. So just hang on and I'm sure you'll get more input.

 

[martinr]

As for how it could be done (using a firewall rule), some background reading on scripts can be found here:

https://www.snbforums.com/threads/an-dummie-rookie-question.39599/#post-330113

And an example of iptables rules can be found in this thread:

https://www.snbforums.com/threads/ip-tables-confusion.30373/#post-237528

 

[gpz1100]

On a pc, it's simple enough to leave out the gateway ip address when doing a manual ip assignment. This in essence blocks any traffic to/from the internet. Since the openvpn server is acting as a pseudo dhcp server, I believe there's a way of passing the gateway assignment of say 0.0.0.0 or some other non existent gateway ip. This isn't the most robust solution but may work if possible to implement.

Another less elegant band aid is to set the "Respond to DNS" to no. This works so long as the vpn client does not override dns settings and point to something else (8.8.8.8).

How advanced are the vpn client users? Would they be able to figure out the above workaround?

 

[chazstick]

On a pc, it's simple enough to leave out the gateway ip address when doing a manual ip assignment. This in essence blocks any traffic to/from the internet. Since the openvpn server is acting as a pseudo dhcp server, I believe there's a way of passing the gateway assignment of say 0.0.0.0 or some other non existent gateway ip. This isn't the most robust solution but may work if possible to implement.

Another less elegant band aid is to set the "Respond to DNS" to no. This works so long as the vpn client does not override dns settings and point to something else (8.8.8.8).

How advanced are the vpn client users? Would they be able to figure out the above workaround?

Thanks gpz1100 this sounds possible...maybe. I've set "Respond to DNS" to no on the server. Now my clients are getting their own internet access (not through the VPN) and still able to access LAN. So I just need to stop it from getting it's own internet access. The Client im using is Android and the "OpenVPN for Android" app where I've imported the openvpn conf file that was exported from the router. I can add options to the client config file. What can I add to override the dns settings to point to something invalid?

 

[ColinTaylor]

Hi @martinr I've just stumbled across this thread. Sorry I didn't see it earlier but you didn't tag my name (@ColinTaylor) so I didn't notice it. Alas I think you give me too much credit. Also, I tend to leave OpenVPN questions to people like yourself because it's not something I use myself.

So in the spirit of not letting a complete lack of knowledge stop me... Rather than manually create iptables rules, could you use the Firewall > Network Services Filter options to block outgoing traffic from the VPN clients? 10.8.0.0/24? I have no idea whether that would work.

 

[chazstick]

Hi @martinr I've just stumbled across this thread. Sorry I didn't see it earlier but you didn't tag my name (@ColinTaylor) so I didn't notice it. Alas I think you give me too much credit. Also, I tend to leave OpenVPN questions to people like yourself because it's not something I use myself.

So in the spirit of not letting a complete lack of knowledge stop me... Rather than manually create iptables rules, could you use the Firewall > Network Services Filter options to block outgoing traffic from the VPN clients? 10.8.0.0/24? I have no idea whether that would work.

Hi Colin! This also sounds feasible! I've just inspected the network services filter and it says this:

"For example, if you do not want the device to use the Internet service, key in 80 in the destination port. The traffic that uses port 80 will be blocked."

To add a rule I have the options:

Source IP Port Range Destination IP Port Range Protocol

I guess next question is how can i predict what the source IP will be? it will be different each time right? Sometimes it'll be 10.8.0.2 somtimes it'll be 10.8.0.8. Isn't that correct?

 

[PowerChaos]

Hi all,

I've been trying to figure this out but getting no where. Is there anyway to make the OpenVPN server give LAN only access to clients (in this case Android phone)? ie. No internet access, just access to locally connected devices/servers. Is this possible at all?

you could try something out if you like
i can not promise that it will work , but it should work basicly

if you just use a invalid dns or no dns at all then they can never acces the internet exept if they use a ip adress to acces the website

so you can do it 2 ways
one way is to not provide a dns , so use 0.0.0.0 as dns (or any other invalid ip like 0.0.0.1 )
or you can setup a dns server , and use that local ip ( like 192.168.1.150 ) so you can resolve local domain names

and if you configure the dns server right , it will never be able to resolve other domain names
this also means that it will not resolve any names for samba sharing ( because no way to set a ip address to a name xD )
so they can only access everything if they know the ip address , if that is not a problem (not sure about netstat or bios name resolving if they need a dns )

Greets From PowerChaos

 

[PowerChaos]

Hi Colin! This also sounds feasible! I've just inspected the network services filter and it says this:

"For example, if you do not want the device to use the Internet service, key in 80 in the destination port. The traffic that uses port 80 will be blocked."

To add a rule I have the options:

Source IP Port Range Destination IP Port Range Protocol

I guess next question is how can i predict what the source IP will be? it will be different each time right? Sometimes it'll be 10.8.0.2 somtimes it'll be 10.8.0.8. Isn't that correct?

using the firewall to block ports is not a good idea
mainly because the vpn connection use only 1 port and route all traffic over that single port

so unless you use a other pc as vpn server will this setting not work (meaning that all traffic goes over 1 port , so a second server can be blocked from internet as that server will use normal ports when the client connects to it over a single port )

here is some more info

OpenVPN uses client-server connection to provide secure communication between the client and the internet. The server side is directly connected to the internet and client connects with the server and ultimately connects with the internet indirectly. On the internet, the client is shown as the server itself and it uses the physical location and other attributes of server that means the identity of client is perfectly hidden.

and here is some explanation of how to setup openvpn ( lot of info , but for linux mainly )
https://openvpn.net/index.php/open-source/documentation/howto.html

Greets from PowerChaos

 

[chazstick]

Thanks all for the great advise!

I think I managed to find my solution. On the Server Side I set "Direct Clients to Redirect Internet" to "NO". And then on the client side, with OpenVPN for Android you can choose to override the DNS, and so I just set that to 192.0.0.0 (something non existent). So that killed the internet while still allowing me access to my servers sunning on LAN. Hopefully this solution holds!

 

[ColinTaylor]

Hi @chazstick I'm glad you got it working.

I guess next question is how can i predict what the source IP will be? it will be different each time right? Sometimes it'll be 10.8.0.2 somtimes it'll be 10.8.0.8. Isn't that correct?

Well you could just specify the rule 7 times . But there is an easier way to specify the entire 10.8.0.x network, you would enter "10.8.0.0/24". Unfortunately this won't help you. I've just checked how the firewall rules are built and the VPN traffic is always accepted and therefore the network services filter is never applied to it. It would be possible to manually insert the firewall rules in the correct position but it's a lot of messing about if you have already found another solution.

using the firewall to block ports is not a good idea
mainly because the vpn connection use only 1 port and route all traffic over that single port

@PowerChaos I'm afraid you're misunderstanding situation. It is only the LAN to LAN traffic that is encapsulated and sent through the tunnel, which uses a single port. Traffic exiting the tunnel that is destined for the internet will be forwarded by the router like any other traffic. (Although see my comment above about the network services filter).

 

[Martineau]

I guess next question is how can i predict what the source IP will be? it will be different each time right? Sometimes it'll be 10.8.0.2 somtimes it'll be 10.8.0.8. Isn't that correct?

NOTE: You can force an OpenVPN client e.g. Android phone to have a static 10.8.0.0/10.16.0.0 (if using the router defaults) or other custom subnet I/P address, then push the non-existent DNS per user/device etc. or create '-t filter FORWARD -m state --state NEW -j DROP' and/or '-t nat PREROUTING -p udp --dport 53 -j DNAT --to $FORCED_DNS' rules?

https://www.snbforums.com/threads/how-to-set-a-static-ip-to-openvpn-tun-clients.37983/#post-315146

 

[martinr]

Hi @martinr I've just stumbled across this thread. Sorry I didn't see it earlier but you didn't tag my name (@ColinTaylor) so I didn't notice it. Alas I think you give me too much credit. Also, I tend to leave OpenVPN questions to people like yourself because it's not something I use myself.

So in the spirit of not letting a complete lack of knowledge stop me... Rather than manually create iptables rules, could you use the Firewall > Network Services Filter options to block outgoing traffic from the VPN clients? 10.8.0.0/24? I have no idea whether that would work.

@ColinTaylor. Hi Colin, I'm ashamed to admit it but I've got no idea how to insert those tags (are they Twitter tags or snbforum alert tags?), So I've cut and pasted the relevant part from your post with fingers crossed.

Just out of interest, if the OP had, foe example, forced his remote clients' Internet traffic to route back through his OpenVPN server and then attempted to kill that traffic with a firewall rule, would it be a FORWARD rule or an OUTPUT rule?

eg would something something like this work?

iptables -I OUTPUT -s 10.16.0.0/24 -o eth0 -j DROP


Edit: I see the tag worked, but I'm sure there's a far simpler way to do it! And, Colin, if you'd seen my question yesterday on OpenVPN, you wouldn't be leaving OpenVPN topics to me!)

 

[ColinTaylor]

Hi @martinr Yeah it took me a while until I twigged how the tagging worked; you just have to type an @ symbol followed by the exact name. You don't even need to type the entire name usually because as soon as you type something like "@Coli" a popup menu will appear with all the users' names that match, and you just click on one.

Regarding the iptables rule, my guess is that it would be in the FORWARD chain. That would be the case for "normal" LAN traffic but I'm not sure whether traffic from the tun interface would be classified in the same way.

Here is a NSF generated rule:

-A FORWARD -s 10.8.0.0/24 -i br0 -o eth0 -p tcp -j DROP

but unfortunately tun21 is not part of br0 so that won't match AND it is preceded by this rule:

-A FORWARD -i tun21 -j ACCEPT

So I think your rule is correct if you use FORWARD because it will insert it at the front of the chain.