How to configure firewall for VPN

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

I woud like to have VPN server in my environment. My plan is this:
Put host in his own vlan (vlan_vpn --> 10.10.50.0/28)
Host will forward IPv4 from clients and host will serve as NAT for all WAN traffic (it will not NAT local traffic). Host will generate private network (10.10.10.0/26)

I will make static route:

Interface:	vlan_vpn
Target:		10.10.10.0
Netmask:	255.255.255.192
IPv4 Gateway:	10.10.50.10 (VPN host IP)

Firewall zone rule: Allow wan traffic in vlan_vpn zone (for internet access).

Example of New firewall traffic rule (for 1 workstation):

Name:		AllowToVlan10
Protocol:	Any
Source zone:	Any zone (forward) <-- is this ok
Source address:	10.10.10.10 <-- this is PRIVATE IP (not in any interface)
Destination:	vlan10
Action:		accept

Example of New firewall rule for other client that need access in one of the others VLANs:

Name:		AllowXYZ
Protocol:	Any
Source zone:	Any zone (forward) <-- is this ok
Source address:	10.10.10.yy <-- this is PRIVATE IP (not in any interface)
Destination:	vlan11
Action:		accept

pic1
pic1781×607 85.1 KB

Will this work? Is this the right plan to implement VPN (based on my requirements - I want to control access from private network to different vlan (or/and servers in vlan)? I am not sure what does "Any zone (forward)" mean and if it is correct to choose this.

2

Do I understand you correctly that the VPN server is on your LAN and not on your router?
So you port forward the VPN traffic from your router to your VPN server on your LAN?

1 Like
3

Yes, VPN host is in separate VLAN. Host is forwarding traffic (NAT for WAN client traffic). I have port forward to this host (to make VPN connection from internet). I am unsure how to manage access for VPN clients (from private network to different VLANs).

4

I have read your post several times, but I still cannot figure out what are you trying to do; perhaps you could make a drawing.

5

A drawing will be helpful as @eduperez asked.

But in the mean time I give you my two cents :slight_smile:

I saw you already have set a static route on the router to reach your VPN subnet.

But to set access restriction for your VPN it is best to do that on your VPN server. Because if VPN traffic enters the LAN with a destination on your LAN the traffic will not go via your router so your whole LAN is exposed.
(Of course individual LAN clients can have their own firewall and can block non Local traffic (and traffic from the VPN server is non local unless you are NATting traffic coming out of the VPN server).

You can set traffic rules on the router to block access to the router itself for the VPN subnet (or clients of the VPN subnet) or block WAN access.
I think this can be done with traffic rules e.g. traffic coming in on br-lan with source address of the VPN etc. you get the meaning I hope :slight_smile:

7

I added picture in first post. Hope it helps. I just want to use fw rules to control access from private network to different vlan (or/and servers in vlan)? I don't know how. Is this configuration ok? Also I am not sure what does "Any zone (forward)" mean and if it is correct to choose this.

8

Drawing is uploaded in first post