You are not logged in.
Hi, I have installed OpenVPN on my server machine alongside with pihole. Everything works great but I wanted to block the access to router's settings through this VPN. When I access 192.168.1.1 through the VPN, I am encountered with the web interface asking me for the password.
I want for this web page not to show, as if it was blocked. Nonetheless, I would like to see this behavior with only some VPN users.
I have read about using a proxy but I don't know how to start or what it would be doing exactly.
Thank you.
Offline
You've given us very little detail on your configuration. You can block access using iptables
iptables -I FORWARD -i tun+ -d 192.168.1.1 -j REJECT
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
I don't exactly know what you mean with the details of my configuration, so I'll try to add more information.
My home server is connected to my home's router, so I have mainly set the VPN for other users than me. Nevertheless, I also may need access to the VPN some time to change some configuration in the router's settings. Although I have an option to remotely access the router's configuration, I don't like that option because that means that anyone can access the router's config website. I think it might be more secure to access that website only through the VPN, whose users I know. As an additional security measurement, I prefer them not to have access to 192.168.1.1, but rather only a couple of users (my pc and mobile).
iptables -I FORWARD -i tun0 -d 192.168.1.1 -j REJECT
blocks access to the router's settings to all users. How do I filter two users to accept the request in the FORWARD secction? Can it be done with the MAC address?
I hope I have explained myself a bit more and thanks.
Last edited by Bubbasm (2020-07-11 19:18:17)
Offline
Trying to understand better how iptables work, I now have a doubt. If I REJECT the packets in the OUTPUT for the destination 192.168.1.1, why am I able to still access the internet? I am thinking this because any petition from my pc must go first to the router, whose local ip is 192.168.1.1, which then requests my ISP to do whatever is asked.
I am probably missing something here.
Offline
If I understand correctly there is at least the following systems:
router
server
laptop
mobile
other
Are all systems connected to the router through a single switch or are their other switches?
The vpn server is the Arch server and vpn clients are all other devices on the network apart from the router?
Offline
Indeed. The VPN server is the Arch server, which is connected to my home's router. The mobile, pc and any other users are not generally connected to the same home's network. Just at the moment I have physical access to the router but in a few months I won't have physical access because I'll be living in another place. This is why for any testing of the VPN I disconnect from the same network, and I connect to my mobile data, simulating as if I was behind any other regular network.
I do have a network switch but it is an unmanaged switch, so it merely adds more ethernet ports. Anyways, the server is directly connected to one of the router's ethernet ports.
Last edited by Bubbasm (2020-07-11 21:04:16)
Offline
Internet (laptop,mobile,other) --> router --> server
The router port forwards the VPN connection to the arch server?
The IP addresses assigned to laptop and mobile can be fixed and different from the other devices?
Edit:
If this is the configuration the only MAC addresses the server would see would be its own and the routers.
Last edited by loqs (2020-07-11 21:14:02)
Offline
Yes, the router port forwards the VPN to the arxh server.
The public IP addresses of both devices cannot be fixed. Many times I'll connect through different networks to the VPN.
Offline
No I mean the openvpn server assigns laptop say 192.168.10.2 and mobile 192.168.10.3 and everything else gets 192.168.10.10-200
So you could filter based on those IP addresses.
Offline
How do I apply those exeptions for the static IPs?
Do I first insert two rules to accept both IPs and then append another rule to deny everything? I think I read that the order matters, and I don't know what action I should perform first.
Thanks.
Offline
Just in case someone else wanted to do the same as I, I am going to write what I did.
First of all, I must mention that my VPN has the interface tun0. Yours could have eth0 or other if you set it that way.
In order to manage the traffic and reject all the packets with destination 192.168.1.1 (or any IP your router's setting web page has) you should add a rule that rejects all traffic going to 192.168.1.1.
This can be simply done by:
iptables -A FORWARD -i tun0 -d 192.168.1.1 -j REJECT
Be sure that there is no other rule before the one we just added with the in-interface tun0 that accepts everything, because only the first rule that can be applied applies. No other ones.
It should be noticed that I have appended it (-A flag) instead of inserting it, because I am going to insert before this the rules to accept everything from certain IPs.
iptables -I FORWARD -s 10.8.0.5 -i tun0 -j ACCEPT
In this example, the static IP of the device that can access the router is 10.8.0.5.
Once this is done, iptables can be saved so changes remain after reboot
iptables-save -f /etc/iptables/iptables.rules
Only thing left to do is set the static IP 10.8.0.5 to your device. For that, edit the server.conf file, which should be located at /etc/openvpn/server/. There should be a line stating "client-config-dir /etc/openvpn/server/ccd" or "client-config-dir /etc/openvpn/ccd". You can edit this path as you'd like, but I am supposing that the path is /etc/openvpn/server/ccd. Go to that path and create a file named as the client's name, which, if unchanged, will be the same name as the client's .key and .crt (or the .ovpn). Inside this file simply write:
ifconfig-push 10.8.0.5 255.255.255.0
Last edited by Bubbasm (2020-07-13 13:23:32)
Offline
Ooops, did not read completely.
But if you want to block access from the internet to router settings, why not just turn off <<Remote management>> option in router?
Last edited by Chuck Arch Linux (2020-07-14 17:18:30)
Offline
But if you want to block access from the internet to router settings, why not just turn off <<Remote management>> option in router?
That's not what OP is trying to do.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline