How to protect me network from pptp tunnel

ZebraOnPC · February 14, 2021, 5:20am

Thanks to vgaetera i have tunnel with no encription...
I have 2 routers , one has static IP and has pptp server on it , and the other is a client.

In order to protect my network from the dirty pptp tunnel (no encription) which is not secure at all
i am gonna put ppp tunnel in a speccial zone so no one from the tunnel cant access to my LAN
But if someone brakes to my tunnels they can get access to web interface and ssh (of cose i can use passwords) and maybe somthing else like some system thingy idk , how to isoliate the tunnel from everything on my router ?
(at the same time i need NTP 123 port access to Internet from the tunnel(DMZ LAN) and 8080 port from Internet to 192.168.100.0 but i guesse i can just use Firewall in Luci interface )

vgaetera · February 14, 2021, 5:43am

You can attach the VPN interface to a separate firewall zone with restrictive policies:
https://openwrt.org/docs/guide-user/services/vpn/pptp/extras#kill_switch

And create a traffic rule to allow forwarding filtered by IP:

uci -q delete firewall.vpn_fwd
uci set firewall.vpn_fwd="rule"
uci set firewall.vpn_fwd.name="Allow-VPN-Forward"
uci set firewall.vpn_fwd.src="vpn"
uci add_list firewall.vpn_fwd.src_ip="192.168.22.0/24"
uci add_list firewall.vpn_fwd.src_ip="192.168.44.0/24"
uci add_list firewall.vpn_fwd.src_ip="192.168.100.0/24"
uci add_list firewall.vpn_fwd.src_ip="192.168.200.0/24"
uci set firewall.vpn_fwd.dest="lan"
uci add_list firewall.vpn_fwd.dest_ip="192.168.22.0/24"
uci add_list firewall.vpn_fwd.dest_ip="192.168.44.0/24"
uci add_list firewall.vpn_fwd.dest_ip="192.168.100.0/24"
uci add_list firewall.vpn_fwd.dest_ip="192.168.200.0/24"
uci set firewall.vpn_fwd.proto="all"
uci set firewall.vpn_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Customize the IP ranges depending on the client/server role.

ZebraOnPC · February 14, 2021, 5:49am

So everything can be solved by firewall including all the services in my router like SSH web etc ?

vgaetera · February 14, 2021, 6:00am

Yes, you can keep the LAN-to-VPN forwarding, but make sure to remove the VPN-to-LAN.
Replace it with traffic rules limiting the rule scope to specific IP ranges.
Further hardening requires to limit the rule scope to specific ports and protocols.

This is necessary to prevent unauthorized access to the LAN hosts and their services.
Protecting traffic passing through the tunnel is another problem.

ZebraOnPC · February 14, 2021, 6:05am

Thanks a lot again

ZebraOnPC · February 15, 2021, 2:39am

Turns out I need to get my LAN go to Internet through WAN but when VPN is up default gateway is VPNs gateway and I don't understand how to change it for LAN and how to make DMZ go through VPNs gateway , I definitely need to learn how the routing works how hot plug routing works etc , what can I read or maybe some examples how to make routing the way I need

vgaetera · February 15, 2021, 3:00am

Utilize PBR to route a specific network to the VPN:
https://openwrt.org/docs/guide-user/network/routing/pbr

Or disable gateway-redirection to access only remote subnet:
https://openwrt.org/docs/guide-user/services/vpn/pptp/extras#default_gateway

system · February 25, 2021, 3:01am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.