Firewall: how restrict forwarding rule, only from LAN and OpenVPN?
I have domoticz running on host behind openWRT.
Now I have a port forward rule to allow forward "FROM any host, in any zone to domoticz-host, domoticz-portnumber in lan'.
This enables me to access domoticz in my lan and when I am connected via openVPN.
I configured openVPN as follows:
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
compress lzo
dev tun0
#listen to this interface only; not all interfaces; otherwise it interferes with Luci which listens to 192.168.1.1
local 192.168.2.253
dh /etc/openvpn/dh2048.pem
ifconfig-pool-persist /tmp/ipp.txt
keepalive 10 120
key /etc/openvpn/server.key
port 443
proto tcp
server 10.8.0.0 255.255.255.0
#push setting to client; to route all traffic through VPN tunnel
push "redirect-gateway def1"
#
#
#Enable packet forwarding on vpn host
#By default in most distributions the packet forwarding is disabled, hence packets from the tunnel interface never make it to the public interface.
#You must enable forwarding with:
# sysctl net.ipv4.ip_forward=1
#
status /tmp/openvpn-status.log
user nobody
verb 3
I can access domoticz when I am connected from public internet via OpenVPN, only when the above mentioned firewall forward rule accepts input from ANY ZONE, but that is probably to wide.
How can I only allow access to my domoticz from LAN or when I am connected via OpenVPN without accepting input from ANY ZONE?