4

I seem to be having the opposite problem of most people who set up OpenVPN: I can't seem to limit VPN clients to just the VPN subnet. Instead, once a client establishes a connection, they're able to access any IP address on my OpenVPN server's LAN, regardless of subnet.

I do not want this behavior.

SERVER

I'm using a Linksys WRT54GL router running Build 54 of TomatoUSB (NoUSB VPN edition). I configured OpenVPN via the 'VPN Tunneling' option in the Tomato GUI; here's a dump of the config.ovpn that is used when the service is started:

daemon
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun22
comp-lzo adaptive
keepalive 15 60
verb 3
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

CLIENT

I'm testing with OpenVPN 2.1.4 on a laptop running Windows 7 Home Premium 64-bit. Once the client has connected, I use whatsmyip.org to verify that I am masquerading as the server's IP address when browsing. Everything works as it should. The client configuration looks like this:

client
dev tun
proto udp
resolv-retry infinite
verb 3
nobind
comp-lzo
persist-key
persist-tun
remote REDACTED
ca ca.crt
cert client.crt
key client.key
redirect-gateway

THE PROBLEM

As a client, I can ping 10.8.0.1 successfully but I can also ping any address in the 192.168.1.0 subnet. I don't want my VPN clients to have this capability; I'd rather the connection were just a tunnel and for clients to be contained within the 10.8.0.0 subnet.

Under the Advanced tab of the 'VPN Tunneling' page, I have made sure that 'Push LAN to clients' is NOT checked. The server config does not include the push "route 192.168.1.0 255.255.255.0" line that normally pushes the LAN to clients. And yet, as a VPN client, I can ping and access any IP address in the server's LAN.

I am certain I am doing something wrong, but I need some guidance in troubleshooting this problem.

Ben D.
  • 308
  • 3
  • 7

1 Answers1

2

Well it sounds like your router is still acting to route between the various networks it knows about. Have you checked the routing tables on the device?

Another option is to try to configure the firewall on the device to block traffic from the vpn network from traveling to other networks.

So those are my two suggestions: check the routing table on the linksys, and consider modifying the firewall rules. Tomato uses iptables so that should certainly be possible.

Phil Hollenback
  • 14,647
  • 4
  • 34
  • 51
  • Thanks for the advice, Phil. I solved my problem by studying `iptables -nvL` when VPN Tunneling->Basic->Firewall was set to 'Automatic'. I then set Firewall to 'Custom' and recreated the automatic rules within the Admin->Scripts->Firewall tab. To block LAN for VPN clients, I then added `iptables -I FORWARD -i br0 -o tun22 -j DROP;` and to block VPN client access to my gateway I added `iptables -I INPUT -i tun22 -d 192.168.1.1 -j DROP;`. – Ben D. Mar 24 '11 at 13:29