Firewall: how restrict forwarding rule, only from LAN and OpenVPN?
I have domoticz running on host behind openWRT.
Now I have a port forward rule to allow forward "FROM any host, in any zone to domoticz-host, domoticz-portnumber in lan'.
This enables me to access domoticz in my lan and when I am connected via openVPN.
I configured openVPN as follows:
persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt compress lzo dev tun0 #listen to this interface only; not all interfaces; otherwise it interferes with Luci which listens to 192.168.1.1 local 192.168.2.253 dh /etc/openvpn/dh2048.pem ifconfig-pool-persist /tmp/ipp.txt keepalive 10 120 key /etc/openvpn/server.key port 443 proto tcp server 10.8.0.0 255.255.255.0 #push setting to client; to route all traffic through VPN tunnel push "redirect-gateway def1" # # #Enable packet forwarding on vpn host #By default in most distributions the packet forwarding is disabled, hence packets from the tunnel interface never make it to the public interface. #You must enable forwarding with: # sysctl net.ipv4.ip_forward=1 # status /tmp/openvpn-status.log user nobody verb 3
I can access domoticz when I am connected from public internet via OpenVPN, only when the above mentioned firewall forward rule accepts input from ANY ZONE, but that is probably to wide.
How can I only allow access to my domoticz from LAN or when I am connected via OpenVPN without accepting input from ANY ZONE?