Hey guys, I'm trying to figure out how to make my VPN connection following this tutorial isolated from the rest of my network (lan and guest) and go directly to go my IOT zone so it can only see the devices connected to my IOT wifi connection. My router is a Archer A7 v5 running Openwrt 19.07.6 Here's my config
Firewall Traffic Rule
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option input 'ACCEPT'
option forward 'REJECT'
option name 'iot'
option output 'ACCEPT'
list device 'tun0'
option network 'iot'
config forwarding
option dest 'iot'
option src 'lan'
config forwarding
option dest 'wan'
option src 'iot'
config zone
option forward 'REJECT'
option name 'guest'
option output 'ACCEPT'
option input 'REJECT'
option network 'guest'
list device 'tun0'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option src 'guest'
option name 'Guest DHCP and DNS'
option target 'ACCEPT'
option dest_port '53 67-68'
config rule
option src 'iot'
option name 'IOT DHCP and DNS'
option dest_port '53 67-68'
option target 'ACCEPT'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
option src 'wan'
Network
config interface 'guest'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.23.36.0'
config interface 'iot'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.4.1'
config interface 'tun0'
option proto 'none'
option ifname 'tun0'
option auto '0'
Ah ok, I created another zone so I didn't have to make iot forward chain accept (I don't want IOT being able to access the other zones). Is it necessary to have the forward chain set to accept?
Ah ok. So, if I made the vpn zone forward to only the iot zone with the forward chain enabled, but leave the iot zone the same as it is now, would that work?
both interfaces in the same zone -> accept forward of zone
one interface per zone -> enable forwarding between zones
If iot and vpn only need access to wan, then you can do it with the first way. If you need more refined traffic separation go for the second.
But I don't want to enable intrazone communication with iot, I strictly want iot to remain in it's own zone and merely have access to the internet for software updates, and I want to direct the VPN connection (the tun0 interface) which comes from outside the network (wan) to the iot zone, and not allow it to interact with any of the other zones
I need a OpenVPN server, Im basically making a server that allows my computers whenever they are outside the network to connect to my VPN and access my Plex server, which I already have setup. I want to isolate the VPN connection from accessing any other the firewall zones except the one I specifically want, which is the iot firewall (where my plex instance resides in)
Unless I'm missing something obvious (it's possible; I've had only one coffee so far today), it sounds like you want this:
All devices in the IoT zone may communicate outbound only with the Internet; the IoT zone may not communicate to any other destination zones except the Internet
All incoming VPN connections may communicate only with the IoT zone; incoming VPN connections may not communicate with any other destination zones except IoT.
If that's the case, why not just add the VPN interface directly to the IoT zone, instead of trying to maintain a separate VPN zone?
Yeah, that's exactly what I want! And I did originally try to add the VPN interface to the IOT zone, but for some reason it won't let the VPN connection access anything on the IOT zone (but lets me see the gui for Openwrt, which is something I don't particularly want). It seems to work better if I have it in a separate zone
I forgot to mention - the OpenVPN server will probably attempt to claim the lowest address in the subnet for its own address; apologies for the omission.
In the case of a /24 subnet, that's the .1 address. If you've got both OpenVPN and "iot" trying to claim 192.168.4.1 for themselves, it'll likely cause problems.
Assuming that what I'm contemplating will work, it might require reconfiguring the "iot" interface to have a different address than it currently has.
The above ideas regarding mixing OpenVPN with an existing subnet are speculation - I don't have an active OpenVPN setup I can test these ideas on right now.
It might help to keep in mind the key difference between routing and firewalling, when trying to identify why the traffic isn't flowing where you want it to flow:
routing = where do I send this packet?
firewalling = is this packet permitted?
If the route is correct but the firewall denies the traffic, it won't flow. If the firewall permits the traffic but the route is incorrect, it won't flow.
Why do I need to make the iot interface have a different address.. wouldn't it be easier to make the vpn use a different address instead? I don't have anything setup for the firewall other than allowing traffic connect to the VPN, and I can't seem to make the traffic route to the iot exclusively. it just allows the vpn to route to all of the interfaces
As long as the subnet interface and the OpenVPN server interface don't conflict, it doesn't really matter which one changes.
In my head, I had the idea (which might be wrong) that having an OpenVPN entry point into the same subnet as your existing IoT devices might be a) possible, and b) easier than trying to solve combined routing/firewall issues between subnets. Keep in mind that what I'm imagining might be feasible... or it might not be.
If my fever dream idea of OpenVPN on the same subnet isn't possible, then with your original configuration (VPN = 192.168.8.0/24, IoT = 192.168.4.0/24) it ought to be possible to achieve what you want by configuring:
OpenVPN listens on your WAN address (i.e. 1194/udp and/or 443/tcp open to the world)
OpenVPN server's internal address (192.168.8.1) is in the VPN zone
