You are not logged in.

#1 2020-07-10 20:04:39

Bubbasm
Member
Registered: 2020-07-10
Posts: 7

Block router access through VPN.

Hi, I have installed OpenVPN on my server machine alongside with pihole. Everything works great but I wanted to block the access to router's settings through this VPN. When I access 192.168.1.1 through the VPN, I am encountered with the web interface asking me for the password.
I want for this web page not to show, as if it was blocked. Nonetheless, I would like to see this behavior with only some VPN users.
I have read about using a proxy but I don't know how to start or what it would be doing exactly.
Thank you.

Offline

#2 2020-07-11 06:37:27

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Block router access through VPN.

You've given us very little detail on your configuration. You can block access using iptables

iptables -I FORWARD -i tun+ -d 192.168.1.1 -j REJECT

Offline

#3 2020-07-11 19:17:21

Bubbasm
Member
Registered: 2020-07-10
Posts: 7

Re: Block router access through VPN.

I don't exactly know what you mean with the details of my configuration, so I'll try to add more information.
My home server is connected to my home's router, so I have mainly set the VPN for other users than me. Nevertheless, I also may need access to the VPN some time to change some configuration in the router's settings. Although I have an option to remotely access the router's configuration, I don't like that option because that means that anyone can access the router's config website. I think it might be more secure to access that website only through the VPN, whose users I know. As an additional security measurement, I prefer them not to have access to 192.168.1.1, but rather only a couple of users (my pc and mobile).

iptables -I FORWARD -i tun0 -d 192.168.1.1 -j REJECT

blocks access to the router's settings to all users. How do I filter two users to accept the request in the FORWARD secction? Can it be done with the MAC address?
I hope I have explained myself a bit more and thanks.

Last edited by Bubbasm (2020-07-11 19:18:17)

Offline

#4 2020-07-11 19:39:01

Bubbasm
Member
Registered: 2020-07-10
Posts: 7

Re: Block router access through VPN.

Trying to understand better how iptables work, I now have a doubt. If I REJECT the packets in the OUTPUT for the destination 192.168.1.1, why am I able to still access the internet? I am thinking this because any petition from my pc must go first to the router, whose local ip is 192.168.1.1, which then requests my ISP to do whatever is asked.
I am probably missing something here.

Offline

#5 2020-07-11 20:35:08

loqs
Member
Registered: 2014-03-06
Posts: 17,196

Re: Block router access through VPN.

If I understand correctly there is at least the following systems:

  • router

  • server

  • laptop

  • mobile

  • other

Are all systems connected to the router through a single switch or are their other switches?
The vpn server is the Arch server and vpn clients are all other devices on the network apart from the router?

Offline

#6 2020-07-11 21:03:35

Bubbasm
Member
Registered: 2020-07-10
Posts: 7

Re: Block router access through VPN.

Indeed. The VPN server is the Arch server, which is connected to my home's router. The mobile, pc and any other users are not generally connected to the same home's network. Just at the moment I have physical access to the router but in a few months I won't have physical access because I'll be living in another place. This is why for any testing of the VPN I disconnect from the same network, and I connect to my mobile data, simulating as if I was behind any other regular network.
I do have a network switch but it is an unmanaged switch, so it merely adds more ethernet ports. Anyways, the server is directly connected to one of the router's ethernet ports.

Last edited by Bubbasm (2020-07-11 21:04:16)

Offline

#7 2020-07-11 21:09:06

loqs
Member
Registered: 2014-03-06
Posts: 17,196

Re: Block router access through VPN.

Internet (laptop,mobile,other) --> router --> server

The router port forwards the VPN connection to the arch server?
The IP addresses assigned to laptop and mobile can be fixed and different from the other devices?
Edit:
If this is the configuration the only MAC addresses the server would see would be its own and the routers.

Last edited by loqs (2020-07-11 21:14:02)

Offline

#8 2020-07-11 21:16:50

Bubbasm
Member
Registered: 2020-07-10
Posts: 7

Re: Block router access through VPN.

Yes, the router port forwards the VPN to the arxh server.
The public IP addresses of both devices cannot be fixed. Many times I'll connect through different networks to the VPN.

Offline

#9 2020-07-11 21:31:09

loqs
Member
Registered: 2014-03-06
Posts: 17,196

Re: Block router access through VPN.

No I mean the openvpn server assigns laptop say 192.168.10.2 and mobile 192.168.10.3 and everything else gets 192.168.10.10-200
So you could filter based on those IP addresses.

Offline

#10 2020-07-11 22:51:11

Bubbasm
Member
Registered: 2020-07-10
Posts: 7

Re: Block router access through VPN.

How do I apply those exeptions for the static IPs?
Do I first insert two rules to accept both IPs and then append another rule to deny everything? I think I read that the order matters, and I don't know what action I should perform first.
Thanks.

Offline

#11 2020-07-13 13:22:19

Bubbasm
Member
Registered: 2020-07-10
Posts: 7

Re: Block router access through VPN.

Just in case someone else wanted to do the same as I, I am going to write what I did.
First of all, I must mention that my VPN has the interface tun0. Yours could have eth0 or other if you set it that way.
In order to manage the traffic and reject all the packets with destination 192.168.1.1 (or any IP your router's setting web page has) you should add a rule that rejects all traffic going to 192.168.1.1.
This can be simply done by:

iptables -A FORWARD -i tun0 -d 192.168.1.1 -j REJECT

Be sure that there is no other rule before the one we just added with the in-interface tun0 that accepts everything, because only the first rule that can be applied applies. No other ones.
It should be noticed that I have appended it (-A flag) instead of inserting it, because I am going to insert before this the rules to accept everything from certain IPs.

 iptables -I FORWARD -s 10.8.0.5 -i tun0 -j ACCEPT 

In this example, the static IP of the device that can access the router is 10.8.0.5.
Once this is done, iptables can be saved so changes remain after reboot

 iptables-save -f /etc/iptables/iptables.rules 

Only thing left to do is set the static IP 10.8.0.5 to your device. For that, edit the server.conf file, which should be located at /etc/openvpn/server/. There should be a line stating "client-config-dir /etc/openvpn/server/ccd" or "client-config-dir /etc/openvpn/ccd". You can edit this path as you'd like, but I am supposing that the path is /etc/openvpn/server/ccd. Go to that path and create a file named as the client's name, which, if unchanged, will be the same name as the client's .key and .crt (or the .ovpn). Inside this file simply write:

ifconfig-push 10.8.0.5 255.255.255.0

Last edited by Bubbasm (2020-07-13 13:23:32)

Offline

#12 2020-07-14 17:15:04

Chuck Arch Linux
Member
Registered: 2011-06-23
Posts: 81

Re: Block router access through VPN.

Ooops, did not read completely.

But if you want to block access from the internet to router settings, why not just turn off <<Remote management>> option in router?

Last edited by Chuck Arch Linux (2020-07-14 17:18:30)

Offline

#13 2020-07-15 02:36:54

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Block router access through VPN.

Chuck Arch Linux wrote:

But if you want to block access from the internet to router settings, why not just turn off <<Remote management>> option in router?

That's not what OP is trying to do.

Offline

Board footer

Powered by FluxBB