How to protect me network from pptp tunnel

Thanks to vgaetera i have tunnel with no encription...
I have 2 routers , one has static IP and has pptp server on it , and the other is a client.


In order to protect my network from the dirty pptp tunnel (no encription) which is not secure at all
i am gonna put ppp tunnel in a speccial zone so no one from the tunnel cant access to my LAN
But if someone brakes to my tunnels they can get access to web interface and ssh (of cose i can use passwords) and maybe somthing else like some system thingy idk , how to isoliate the tunnel from everything on my router ?
(at the same time i need NTP 123 port access to Internet from the tunnel(DMZ LAN) and 8080 port from Internet to 192.168.100.0 but i guesse i can just use Firewall in Luci interface )

1 Like

You can attach the VPN interface to a separate firewall zone with restrictive policies:
https://openwrt.org/docs/guide-user/services/vpn/pptp/extras#kill_switch

And create a traffic rule to allow forwarding filtered by IP:

uci -q delete firewall.vpn_fwd
uci set firewall.vpn_fwd="rule"
uci set firewall.vpn_fwd.name="Allow-VPN-Forward"
uci set firewall.vpn_fwd.src="vpn"
uci add_list firewall.vpn_fwd.src_ip="192.168.22.0/24"
uci add_list firewall.vpn_fwd.src_ip="192.168.44.0/24"
uci add_list firewall.vpn_fwd.src_ip="192.168.100.0/24"
uci add_list firewall.vpn_fwd.src_ip="192.168.200.0/24"
uci set firewall.vpn_fwd.dest="lan"
uci add_list firewall.vpn_fwd.dest_ip="192.168.22.0/24"
uci add_list firewall.vpn_fwd.dest_ip="192.168.44.0/24"
uci add_list firewall.vpn_fwd.dest_ip="192.168.100.0/24"
uci add_list firewall.vpn_fwd.dest_ip="192.168.200.0/24"
uci set firewall.vpn_fwd.proto="all"
uci set firewall.vpn_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Customize the IP ranges depending on the client/server role.

1 Like

So everything can be solved by firewall including all the services in my router like SSH web etc ?

1 Like

Yes, you can keep the LAN-to-VPN forwarding, but make sure to remove the VPN-to-LAN.
Replace it with traffic rules limiting the rule scope to specific IP ranges.
Further hardening requires to limit the rule scope to specific ports and protocols.

This is necessary to prevent unauthorized access to the LAN hosts and their services.
Protecting traffic passing through the tunnel is another problem.

1 Like

Thanks a lot :slightly_smiling_face: again

1 Like

Turns out I need to get my LAN go to Internet through WAN but when VPN is up default gateway is VPNs gateway and I don't understand how to change it for LAN and how to make DMZ go through VPNs gateway , I definitely need to learn how the routing works how hot plug routing works etc , what can I read or maybe some examples how to make routing the way I need

Utilize PBR to route a specific network to the VPN:
https://openwrt.org/docs/guide-user/network/ip_rules#examples

Or disable gateway-redirection to access only remote subnet:
https://openwrt.org/docs/guide-user/services/vpn/pptp/extras#disable_gateway_redirection

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.