I've setup OpenVPN as per this and this guide, and everything works well. The problem is it works too well, currently all VPN clients can connect to anything on the LAN and route traffic through the WAN, but I want to be able to restrict (default deny) traffic from VPN to LAN to certain forwardings.
The cloest issue I've found to this is this topic, as per that I don't really understand why clients are able to access the LAN as I haven't got anything explicitly setup to allow traffic from from VPN zone to the LAN zone. I've tried changing all the settings in the VPN zone of the firewall to reject, but that didn't make any difference - it is as if the VPN clients are being placed on the LAN zone.
Here are my configs:
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0a:ddf6:76b1::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
option _orig_ifname 'wlan0 wlan1'
option _orig_bridge 'true'
option ifname 'eth0.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
option auto '1'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'REJECT'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'DROP'
option forward 'DROP'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'lan'
config rule
option target 'ACCEPT'
option name 'OpenVPN'
option src 'wan'
option proto 'tcp'
option dest_port '443'
config zone
option name 'vpn'
option forward 'REJECT'
option network 'vpn0'
option input 'REJECT'
option output 'REJECT'
config forwarding
option src 'vpn'
option dest 'wan'
(/etc/firewall.user doesn't exist)
/etc/config/openvpn
config openvpn 'myvpn'
option enabled '1'
option verb '3'
option port '443'
option proto 'tcp'
option dev 'tun'
option server '192.168.4.0 255.255.255.0'
option ca '/etc/easy-rsa/keys/ca.crt'
option cert '/etc/easy-rsa/keys/server.crt'
option key '/etc/easy-rsa/keys/server.key'
option dh '/etc/easy-rsa/keys/dh1024.pem'
option status '/var/log/openvpn-status.log'
list push 'redirect-gateway def1'
list push 'route 192.168.2.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.2.1'
list push 'dhcp-option DOMAIN lan'
iptables-save
# Generated by iptables-save v1.4.21 on Sun Jul 17 07:06:47 2016
*nat
:PREROUTING ACCEPT [465:77685]
:INPUT ACCEPT [176:13294]
:OUTPUT ACCEPT [141:12217]
:POSTROUTING ACCEPT [10:1238]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j delegate_prerouting
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
-A delegate_postrouting -o br-lan -j zone_lan_postrouting
-A delegate_postrouting -o eth0.2 -j zone_wan_postrouting
-A delegate_postrouting -o tun0 -j zone_vpn_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
-A delegate_prerouting -i br-lan -j zone_lan_prerouting
-A delegate_prerouting -i eth0.2 -j zone_wan_prerouting
-A delegate_prerouting -i tun0 -j zone_vpn_prerouting
-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "user chain for postrouting" -j postrouting_vpn_rule
-A zone_vpn_prerouting -m comment --comment "user chain for prerouting" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Sun Jul 17 07:06:47 2016
# Generated by iptables-save v1.4.21 on Sun Jul 17 07:06:47 2016
*raw
:PREROUTING ACCEPT [20320:4113870]
:OUTPUT ACCEPT [9566:2078327]
:delegate_notrack - [0:0]
-A PREROUTING -j delegate_notrack
COMMIT
# Completed on Sun Jul 17 07:06:47 2016
# Generated by iptables-save v1.4.21 on Sun Jul 17 07:06:47 2016
*mangle
:PREROUTING ACCEPT [20320:4113870]
:INPUT ACCEPT [11021:1628020]
:FORWARD ACCEPT [9200:2461063]
:OUTPUT ACCEPT [9566:2078327]
:POSTROUTING ACCEPT [18766:4539390]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Jul 17 07:06:47 2016
# Generated by iptables-save v1.4.21 on Sun Jul 17 07:06:47 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_REJECT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -j delegate_input
-A FORWARD -o tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -j delegate_forward
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -m conntrack --ctstate INVALID -j DROP
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0.2 -j zone_wan_forward
-A delegate_forward -i tun0 -j zone_vpn_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -m conntrack --ctstate INVALID -j DROP
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0.2 -j zone_wan_input
-A delegate_input -i tun0 -j zone_vpn_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -m conntrack --ctstate INVALID -j DROP
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0.2 -j zone_wan_output
-A delegate_output -o tun0 -j zone_vpn_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_dest_REJECT -o br-lan -j reject
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_dest_REJECT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_vpn_dest_REJECT -o tun0 -j reject
-A zone_vpn_forward -m comment --comment "user chain for forwarding" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_vpn_forward -j zone_vpn_dest_REJECT
-A zone_vpn_input -m comment --comment "user chain for input" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_vpn_input -j zone_vpn_src_REJECT
-A zone_vpn_output -m comment --comment "user chain for output" -j output_vpn_rule
-A zone_vpn_output -j zone_vpn_dest_REJECT
-A zone_vpn_src_REJECT -i tun0 -j reject
-A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
-A zone_wan_dest_DROP -o eth0.2 -j DROP
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_DROP
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment OpenVPN -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_DROP -i eth0.2 -j DROP
COMMIT
# Completed on Sun Jul 17 07:06:47 2016
I understand I could add iptables rules to explicitely reject traffic from the VPN to LAN, but I'd prefer that to be the default and don't understand why that isn't the case. I'm running Chaos Calmer (15.05, r46767). Thanks in advance!
(Last edited by lucaspiller on 18 Jul 2016, 11:32)