Firewall: deny all connections outside of VPN tunnel

I want to create firewall rule(s) for my router to not send or recieve anything (incoming or outgoing) from outside the VPN server.

I need a rule for the WAN zone. Is there any example of what I can use?

On another note, I have 3 interfaces: LAN, WAN and VPN (interface/zone). I don't know if it's enough to configure the WAN zone in firewall. Should I also configure the VPN zone?

I think you need to rephrase that. If you have a VPN server, then you need somehow to accept the incoming connections from the internet to the server, otherwise it won't work.
The default OpenWrt firewall configuration is secure enough and doesn't allow anything unsolicited from the wan zone. If you setup a vpn server, then you'll need to explicitly allow the incoming packets to the vpn server port.

Are you looking for a VPN "kill switch" -- one that would ensure that traffic can only egress from your LAN via a VPN tunnel (such as a to commercial VPN provider)?

If my description above is correct, you need to do the following:

  • Associate your VPN interface with a new firewall zone.
    -- This zone will usually be configured just like the wan zone (input = drop or reject, output = accept, forward = drop or reject), masquerading enabled.
  • Allow forwarding from the lan zone to the vpn zone (do not allow forwarding from vpn to lan).
  • Finally disable forwarding from lan to wan.

This will prevent any LAN traffic from existing via the WAN. The only way the LAN traffic can be routed will be through the VPN. If the VPN is down for any reason, there will be no internet connectivity for your LAN. The router itself will be able to use the WAN to establish the VPN connection.


And how would I restrict the router to only establish the VPN connection and reject anything else both incoming or outgoing?

You want to restrict the router itself? I wouldn't recommend this because it will probably cause other issues, but you can change the firewall zone output rule to drop, then add accept rules for the specific VPN connections. You'll probably also need to open the firewall to allow NTP (if time isn't sync'd, many VPNs fail to function), DHCP (if your connection relies on it) and DNS.

Is the VPN connection being established from the router to another location, or is it inbound (i.e. an external host connecting back to this router)?

Also worth asking -- why? What are you trying to achieve by blocking everything but the VPN? OpenWrt, by itself, doesn't accept any unsolicited traffic and doesn't phone home or do anything else other than basic required services (i.e. NTP and DNS are almost always required).

1 Like

VPN is established from my router to another location.
My router uses PPOE to get its IP from the ISP(Not sure how it works).
Clients on the LAN uses DHCP to get their internal IP.
I can make an allow rule for NTP:
I think DNS must work inside the VPN tunnel
But if that's outside of the tunnel, I can create another allow rule for DNS:

I want to do this just to be on the safer side. How can I configure it?

I've never used PPPoE and I don't know exactly what needs to be open for this to work, but someone else can probably provide more insight.

Unless you have hard-coded, never changing IP addresses (numeric) for the VPN tunnel AND the time server, you must have DNS available outside the tunnel to get started. otherwise, the router will not be able to resolve the time server and VPN address. After the tunnel is established, if the VPN is configured appropriately, the DNS will go through the tunnel.

I think you're worrying too much about the router. Provided you're running a current version of OpenWrt (21.02.1), the router itself is quite safe and secure. I'm not going to claim that it is up to enterprise standards for big tech, but it is more than adequate for home use, and is often much more secure than the stock firmware from many of the typical vendors.

IMO, there is no additional hardening necessary for your router, but feel free to do whatever makes you most comfortable. I described how to do it in principle already. You should be able to search these forums and the OpenWrt site/wiki to find examples and tutorials for how to actually make the appropriate rules.

1 Like

As a sidenote ntp works on port 123.
pppoe itself will not be filtered by iptables rules, but the payload will be, therefore you need to allow the necessary protocols for the smooth operation of the router, such as ntp, dns, and the vpn.
I would suggest to leave all that aside and follow the steps mentioned earlier.

1 Like

(post deleted by mistake)

Create a firewall rule to allow from device to wan on port 51820 udp and on wan zone change output to reject.

Would that also reject ICMP (pings) to & from the router - except to & from the VPN server?

I think there is a rule to allow ping from wan zone to the router. You'd need to adjust that to your needs. And you'll need another rule for pings initiated from the router.

By turning "Forward" to reject on LAN->VPNZone like this;

Will it make all ICMP requests rejected?
Would I still need these 2 rules then?

This is not related.
I am referring to the rule:

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

Which allows ping from the internet to the router wan interface.
The 2 rules you have there are not useful. The incoming cannot work, because you have only one public IP. The outgoing works anyway since you have the lan->wgzone forwarding enabled.
What you need is to use the device as source or destination and the wan zone as destination or source respectively, along with the vpn server IP.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.