ACLs to block OpenVPN client connections to specific VLAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACLs to block OpenVPN client connections to specific VLAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ACLs to block OpenVPN client connections to specific VLAN
ACLs to block OpenVPN client connections to specific VLAN
2024-02-09 22:41:41 - last edited 2024-02-18 01:56:19
Model: ER706W  
Hardware Version: V1
Firmware Version: 1.0.3 Build 20240106 Rel.81532(4555)

Hi guys,

 

I don't have any more ideas what I'm doing incorrectly or what could be done differently so I would like to ask you for some help.

 

I have 3 VLANs on my ER70W router (IoT, Work, Home). This router is also hosting OpenVPN server for software clients (Windows, Android).

 

I would like to block access from OpenVPN clients to Home vlan. ALso I'm using OC200.

 

I'm setting it up in Gateway ACL section.

I've tried to do it with deny WAN IN as well as LAN to LAN . Using IP Groups, VLAN created for SoftVPN, not including Home network configuration in VPN Policy's Local Networks.

 

Nothing really works for me, I still can access Home VLAN from VPN client.

 

The only moment it worked for me, was when I was using ER706W in Standalone Mode and I was able to set rule: Block Access to Home from !Home. 

But with OC200 I don't see an option to user ! in ALC configuration :(

 

How It should be configured properly? What I'm missing?

Best Regards :)

  0      
  0      
#1
Options
1 Accepted Solution
Re:ACLs to block OpenVPN client connections to specific VLAN-Solution
2024-02-14 08:55:02 - last edited 2024-02-18 01:56:05

  @RaRu 

RaRu wrote

  @MR.S 

 

Hi, 

 

I have used that option in VPN settings, but with full tunneling it doesn't really work. 

In full tunneling I have access to all VLANs, no matter what I set there (manually by IP/mask or network interface).

 

It does work properly when I switch to Split mode. Then this setting takes effect and block VLANs access properly. 

 

I was thinking about SSL VPN but unfortunately I don't have a possibility to issue a certificate. Without valid cert, end-user receive a Warning Message about lack of cert for this connection, which I would like to avoid (questions from end-users / owner of the solution).

There is a clear difference in split and full tunnel. You should get a clear idea between them.

I think what you have written so far shows that your use case is different from what's meant to be for the router. You want to set up the proxy but the proxy means everything is forwarding through the VPN tunnel and which means you can access everything on the server end. And using its gateway for Internet access. That's what full tunnel means.

 

If you have tried that, that would simply explains the ACL is not effective to the VPN tunnel and routing.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#8
Options
7 Reply
Re:ACLs to block OpenVPN client connections to specific VLAN
2024-02-09 23:03:19

OK, I have found out, that "not including Home network configuration in VPN Policy's Local Networks" works when the configuration of OpenVPN server is set to Split Tunneling.

 

Is there a possibility to achieve the same (lack of access to one VLAN from Software VPN client) while using Full Tunneling?

  0  
  0  
#2
Options
Re:ACLs to block OpenVPN client connections to specific VLAN
2024-02-10 04:14:29

Hi @RaRu 

RaRu wrote

OK, I have found out, that "not including Home network configuration in VPN Policy's Local Networks" works when the configuration of OpenVPN server is set to Split Tunneling.

 

Is there a possibility to achieve the same (lack of access to one VLAN from Software VPN client) while using Full Tunneling?

This is correct.

 

About the possibility in full tunneling, you might create a VLAN interface to match the OVPN pool IP, and set up the ACL and give it a try? I remember some time in the past I did something like this.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#3
Options
Re:ACLs to block OpenVPN client connections to specific VLAN
2024-02-10 07:38:10

  @Clive_A 

 

Thanks for reply. 

Ye, ye. I found that post of yours and tried that as well but without luck. That's why I got confused and made this post :) 

  0  
  0  
#4
Options
Re:ACLs to block OpenVPN client connections to specific VLAN
2024-02-10 12:12:18

  @RaRu 

 

you can choose which vlan to have here

 

  0  
  0  
#5
Options
Re:ACLs to block OpenVPN client connections to specific VLAN
2024-02-10 12:13:36

  @RaRu 

 

you can also use ssl vpn, then you have even more choice and control

 

  0  
  0  
#6
Options
Re:ACLs to block OpenVPN client connections to specific VLAN
2024-02-10 12:32:00

  @MR.S 

 

Hi, 

 

I have used that option in VPN settings, but with full tunneling it doesn't really work. 

In full tunneling I have access to all VLANs, no matter what I set there (manually by IP/mask or network interface).

 

It does work properly when I switch to Split mode. Then this setting takes effect and block VLANs access properly. 

 

I was thinking about SSL VPN but unfortunately I don't have a possibility to issue a certificate. Without valid cert, end-user receive a Warning Message about lack of cert for this connection, which I would like to avoid (questions from end-users / owner of the solution).

  0  
  0  
#7
Options
Re:ACLs to block OpenVPN client connections to specific VLAN-Solution
2024-02-14 08:55:02 - last edited 2024-02-18 01:56:05

  @RaRu 

RaRu wrote

  @MR.S 

 

Hi, 

 

I have used that option in VPN settings, but with full tunneling it doesn't really work. 

In full tunneling I have access to all VLANs, no matter what I set there (manually by IP/mask or network interface).

 

It does work properly when I switch to Split mode. Then this setting takes effect and block VLANs access properly. 

 

I was thinking about SSL VPN but unfortunately I don't have a possibility to issue a certificate. Without valid cert, end-user receive a Warning Message about lack of cert for this connection, which I would like to avoid (questions from end-users / owner of the solution).

There is a clear difference in split and full tunnel. You should get a clear idea between them.

I think what you have written so far shows that your use case is different from what's meant to be for the router. You want to set up the proxy but the proxy means everything is forwarding through the VPN tunnel and which means you can access everything on the server end. And using its gateway for Internet access. That's what full tunnel means.

 

If you have tried that, that would simply explains the ACL is not effective to the VPN tunnel and routing.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#8
Options