Firewall rule help/allow specific port from LAN to Guestzone

I have a LAN zone and Guest zone. I run openvpn in the guest zone which I use to connect when outside the house (public wifi networks). Because some users forget to stop using openvpn client on their phones, I need a firewall rule to allow any guest in the LAN to connect to the openvpn server in the guestzone. Circular and dumb I know, needed due to laziness.

In am running openvpn on port 80. I tried this rule but it does not allow traffic as I expect.

From any host in lan
To IP, port 80 in guestzone

What am I doing wrong?

Does your OpenVPN server use a hostname, or IP address?

Do you use openvpn tcp or udp in your server.conf?


Does your OpenVPN server use a hostname, or IP address?

@lleachii - It's using a FQDN so technically, the traffic would orriginate from the WAN, yes? I also tried "From any host in WAN" to Any port 80 in LAN but that doesn't work either.

@eliasmagnus -
It's setup for tcp.

port 80
proto tcp

Off hand, you've got a request destined for the IP on the WAN interface coming in the LAN interface, which isn't the best setup (and blocked by many firewalls, though I don't know if OpenWrt does it that way).

Also, if your OpenVPN server isn't listening on that interface, then you're asking for "hairpin NAT" (in, sharply bending through NAT, then back out the same interface) which can get equally wonky, especially if the server is on the same subnet as the clients (packets go back directly, rather than back through the NAT).

One thing to consider would be "overriding" the public DNS with a link-local address (or at least locally routable) for clients on your LAN. With that, there wouldn't be any major NAT/firewall complexity involved.

1 Like

While @jeff offered a [very good] solution...(I would have suggested a firewall redirect to LAN to reroute with the IP)...

The Issue is...your OpenVPN is likely setup for the FQDN presenting an A and/or AAAA of the WAN address. Hence, they won't connect internally (as noted in the above post). Unless you specify a local hostname for the local IP (or, as I noted, make a redirect).

@lleachii - OK... I think I got it. Is this what you are suggesting?

  1. The top one, "openvpn" allows port 80 from anywhere to hit my openvpn server.
  2. The bottom one, "internal openvpn redirect" is my interpretation of your suggestion.


Yes...but I think the SRC zone should be WAN (and hence, MACs might not work) and the forward to should be to LAN (not guestzone), so that normal routing occurs (you must permit forwarding from LAN to GUESTZONE or permit the IPs).

Here is a rule I have:

From IP range in wan
Via any router IP at port 80
IP, port 80 in lan

EDIT: I have a filter on WAN that prevent bogons, so adding a rule for is safe on my WAN.

Dont understand your setup at all!
How is your "way of trust" i guess you trust the lan zone but dont trust the guest nor the wan zone.
Nice would it be like that to understand your topology, openvpn server is as which ip-address etc.

        Lan                -->         Guest            --->             OpenVPN       -->              Wan
XXX.XXX.XXX.XXX/24          XXX.XXX.XXX.XXX/24           XXX.XXX.XXX.XXX   


     --> Guest                -->            OpenVPN       -->              Wan
    XXX.XXX.XXX.XXX/24           XXX.XXX.XXX.XXX   


     Guest   -->                         Lan                -->               OpenVPN       -->              Wan
XXX.XXX.XXX.XXX/24           XXX.XXX.XXX.XXX/24          XXX.XXX.XXX.XXX/24  

or or or

@eliasmagnus - Yes, exactly.

I have two zones: LAN and Guestzone. I do not trust Guestzone. It is not allowed to access LAN which I do trust. I have a box running OpenVPN in the guestzone. It is WAN facing via a forwarded port to allow access. The problem is when someone comes home and connects to the LAN zone and leaves their OpenVPN client active. No internet traffic is allowed. If I add that "port forward" I show in the screenshot, one can be connected to the LAN and also use OpenVPN (although doing this is circular and superfluous).

Did I answer your question?

Ok for my understanding i need some more informations cause i think you mix up words somehow, or i do.

Someone(you or someone from your home) is somewhere outside in the wilderness and uses the openvpn server in your guestzone(something like a dmz) to secure his internet connection in wifi hotspot environments. When he/she comes home the openvpn client is still running so the internet connection is kept tunneled via openvpn. The client cant connect to the internet because the openvpn-client has a routing issue, your wan ip is equal to the destination ip of the openvpn server, first your router wanna route lan to guestzone but its not allowed. You need to allow lan to guestzone routing. just clone the firewall settings from lan to wan. Enable mss-clamping and forwarding ! From lan to guestzone

Or much more overhead:

Then through wan you get a tcp loop which is messy. --> you need to disallow the connection between you lan and your wan ip and give your openvpn client a second ip off the server which is the guestzone ip of your openvpn server Then the openvpn client tries to connect to the server via the wan port, but he is blocked from lan, so he tries the second ip and it works, it only works if you allow connection and forwarding between lan and guestzone like lan to wan. So none of your guests can connect to lan, but from lan its possible to reach the guestzone vpn-server

This setup is kinda weird and i believe you are not using a proxy for your openvpn-hotspot hence you are running it on port 80. Did you tested your openvpn setup with https?
Do you use a dyndns service? or you have a static wan ip?

lleachii is right! but you should first simply use the firewall zone settings and not mess with the iptables.