VPN should be accepted as a LAN device within the LAN?

[Pila]

Asus RT-AC56U, fw380.57

I have devices I want to be completely cut off from ever going out to the WAN (Internet) on thir own. They are normally acessible from within my LAN. I locked them out using Network Map -> Clients -> [select a client] -> Block Internet Access or using the same feature on Asus Router Android App.

When connected through the OpenVPN, I can not receive any data from such LAN devices until I unlock their WAN access giving them full outgoing access to the WAN (which I do not want them to have!).

Should my OpenVPN connection not be treated by my router same as LAN and not as an Internet connection?

1. Is this behaviour by design or a mistake?
2. If this is intended, how can I modify it to work as described?

 

[RMerlin]

OpenVPN is a separate interface (tun11) from WAN (eth0).

If you use policy-based routing, see what happens if you set a rule for that client forcing it through the WAN.

 

[Pila]

My System Log -> Routing Table says:

IPv4 Routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.1 * 255.255.255.255 UH 0 0 0 WAN
10.8.0.0 * 255.255.255.0 U 0 0 0 tun21
192.168.1.0 * 255.255.255.0 U 0 0 0 LAN
192.168.0.0 * 255.255.255.0 U 0 0 0 WAN
default 192.168.0.1 0.0.0.0 UG 0 0 0 WAN

Modem is 192.168.0.1. VPN is tun21. Network is 192.168.1.x. Does this first line have something to do with it?

I will try some experimenting per your suggetrion, as now my Asus now seems stable.

 

[RMerlin]

My System Log -> Routing Table says:

IPv4 Routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.1 * 255.255.255.255 UH 0 0 0 WAN
10.8.0.0 * 255.255.255.0 U 0 0 0 tun21
192.168.1.0 * 255.255.255.0 U 0 0 0 LAN
192.168.0.0 * 255.255.255.0 U 0 0 0 WAN
default 192.168.0.1 0.0.0.0 UG 0 0 0 WAN

Modem is 192.168.0.1. VPN is tun21. Network is 192.168.1.x. Does this first line have something to do with it?

I will try some experimenting per your suggetrion, as now my Asus now seems stable.

That page doesn't show the whole RPDB entries. You need to use iproute2 over SSH to check the content of RPDB, which is used for client routing.

 

[Pila]

Hmm, no iproute2 in my Asus. Need to investigate.

Best I can do for now, is:

/root# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.1 * 255.255.255.255 UH 0 0 0 eth0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun21
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default e.home 0.0.0.0 UG 0 0 0 eth0

almost the same as GUI said.

btw. RMerlin - brilliant job on this fw for Asus, many thanks

 

[RMerlin]

Hmm, no iproute2 in my Asus. Need to investigate.

Best I can do for now, is:

/root# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.1 * 255.255.255.255 UH 0 0 0 eth0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun21
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default e.home 0.0.0.0 UG 0 0 0 eth0

almost the same as GUI said.

btw. RMerlin - brilliant job on this fw for Asus, many thanks

iproute2 is a package. It contains various tools that replace the old netconf tools (ifconfig/route/etc...).

ip route show

Will show you the main table. The same tool is used to show the content of the additional tables created by the OpenVPN client's policy rules. For client 1:

ip route show table ovpnc1

For the whole list:

ip route show table all

 

[Pila]

last command produced:

/root# ip route show table all
192.168.0.1 dev eth0  scope link
10.8.0.0/24 dev tun21  proto kernel  scope link  src 10.8.0.1
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.100
127.0.0.0/8 dev lo  scope link
default via 192.168.0.1 dev eth0
local 192.168.1.1 dev br0  table local  proto kernel  scope host  src 192.168.1.1
broadcast 192.168.0.255 dev eth0  table local  proto kernel  scope link  src 192.168.0.100
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
broadcast 192.168.1.0 dev br0  table local  proto kernel  scope link  src 192.168.1.1
local 10.8.0.1 dev tun21  table local  proto kernel  scope host  src 10.8.0.1
broadcast 10.8.0.0 dev tun21  table local  proto kernel  scope link  src 10.8.0.1
broadcast 192.168.0.0 dev eth0  table local  proto kernel  scope link  src 192.168.0.100
broadcast 192.168.1.255 dev br0  table local  proto kernel  scope link  src 192.168.1.1
broadcast 10.8.0.255 dev tun21  table local  proto kernel  scope link  src 10.8.0.1
local 192.168.0.100 dev eth0  table local  proto kernel  scope host  src 192.168.0.100
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
unreachable default dev lo  table 0  proto kernel  metric -1  error -101 hoplimit 255
unreachable default dev lo  table 0  proto kernel  metric -1  error -101 hoplimit 255

 

[RMerlin]

You don't have any OpenVPN client connected, just a server.

 

[Pila]

OpenVPN client connected:

/tmp/home/root# ip route show table all
192.168.0.1 dev eth0  scope link
10.8.0.0/24 dev tun21  proto kernel  scope link  src 10.8.0.1
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.100
127.0.0.0/8 dev lo  scope link
default via 192.168.0.1 dev eth0
local 192.168.1.1 dev br0  table local  proto kernel  scope host  src 192.168.1.1
broadcast 192.168.0.255 dev eth0  table local  proto kernel  scope link  src 192.168.0.100
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
broadcast 192.168.1.0 dev br0  table local  proto kernel  scope link  src 192.168.1.1
local 10.8.0.1 dev tun21  table local  proto kernel  scope host  src 10.8.0.1
broadcast 10.8.0.0 dev tun21  table local  proto kernel  scope link  src 10.8.0.1
broadcast 192.168.0.0 dev eth0  table local  proto kernel  scope link  src 192.168.0.100
broadcast 192.168.1.255 dev br0  table local  proto kernel  scope link  src 192.168.1.1
broadcast 10.8.0.255 dev tun21  table local  proto kernel  scope link  src 10.8.0.1
local 192.168.0.100 dev eth0  table local  proto kernel  scope host  src 192.168.0.100
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
unreachable default dev lo  table 0  proto kernel  metric -1  error -101 hoplimit 255
unreachable default dev lo  table 0  proto kernel  metric -1  error -101 hoplimit 255

 

[bassplayerchris]

Think you still might not have anything connected. It should help to print the output of 'ip rule' What is your "Redirect Internet traffic" setting for that client? If you set it to 'Policy Rules' you should be able to set "Block routed clients if tunnel goes down" so that these do not go via the WAN if the VPN is down.

 

[Pila]

I need bit of time to chew on your comment, not really my field

Possibly that is what is wrong here?

But: I did connect remotelly and caputure info for my previous post from my computer remotely over OpenVPN connection to my router.

If it helps. To test, I used everything default, including the ovpn. generated by router itself. No personal certs and keys were used here.

Hmm. I am behind a double NAT. So, I had to enter my ddns address manually into my ovpn.

 

[Pila]

"Redirect Internet traffic" setting for that client? If you set it to 'Policy Rules' you should be able to set "Block routed clients if tunnel goes down" so that these do not go via the WAN if the VPN is down.

I do not think this is related. I have no problem entering my LAN from VPN. Unless I want to connect to a LAN device which is prohibited to innitiate outgoing WAN on their own. VPN should poke thorugh the firewall and be inside my LAN.

I just want my OpenVPN to behave as LAN when watched from LAN. So I can forbid outgoing WAN for e.g. my LAN Raspberry used for TV, but still be able to connect to it and view and change programmed TV recordings.

Possibly, the clearest example. I want my NAS to be able to innitiate outgoiung to the WAN only for NTP. For no other reason should my NAS be able to get out to the WAN. But, if i connect remotely via VPN to my router (LAN), I want to be able to get to my files on the NAS.

 

[Martineau]

<snip>

I want my NAS to be able to innitiate outgoiung to the WAN only for NTP. For no other reason should my NAS be able to get out to the WAN. But, if i connect remotely via VPN to my router (LAN), I want to be able to get to my files on the NAS.

Try these two rules to only allow outbound NTP from the NAS I/P xxx.xxx.xxx.xxx

iptables -I FORWARD -i br0 -s xxx.xxx.xxx.xxx -o `nvram get wan0_ifname` -j DROP
iptables -I FORWARD -s xxx.xxx.xxx.xxx -o `nvram get wan0_ifname` -p udp --dport 123 -j ACCEPT

P.S. If you have the firewall enabled on the NAS you may have to add the VPN tun21 server subnet (10.8.0.0/24) inbound to the NAS firewall rules.

 

[Pila]

Try these two rules to only allow outbound NTP from the NAS I/P ...

Yes, thanks, these work perfectly. But, I must find also how m NAS solves DDNS updating for my double NAT as I must allow for that action also. That maked some HTTP request.