I setup proxmox on my homeserver to virtualize my OpenWrt installation and some linux clients.
One of those linux clients will act as a download-vm, which should only be allowed to...
- access the NAS in my LAN, hosted on the OpenWrt vm ==> WORKING
- get internet access via OpenVPN, running on the OpenWrt vm
- block WAN access ==> WORKING
3. To block WAN access I created the following rules
config rule option name 'Block-Download-VM-WAN' list proto 'all' option src 'lan' list src_mac 'XX:XX:XX:XX:XX:XX' option dest 'wan' option target 'REJECT' config rule option name 'Block-Download-VM-WAN' list proto 'all' option src 'wan' option dest 'lan' list dest_mac 'XX:XX:XX:XX:XX:XX' option target 'REJECT'
Which are working perfectly fine!
Is there anything else I could do to make sure the download-vm is unable to ever access the WAN interface?
2. route client via VPN
The OpenVPN instance has
option route_nopull '1' in its config, because I only want specific clients to use the VPN.
To route the download-vm trough the VPN I use @stangri's vpn-pbr package.
config policy option name 'download-vm' option src_addr 'ho.me.ip.client' option proto 'all' option interface 'vpn'
The package works very well!
But... for safety reasons and to minimize errors I would like to achieve this without the vpn-pbr package.
How can I do this?