Home

Forums

Stories

Knowledge Base

Business Community > Gateways > ACLs to block OpenVPN client connections to specific VLAN

< Gateways

ACLs to block OpenVPN client connections to specific VLAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACLs to block OpenVPN client connections to specific VLAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

RaRu

2024-02-09 22:41:41 - last edited 2024-02-18 01:56:19

Posts: 264

Helpful: 79

Solutions: 39

Stories: 0

Registered: 2024-01-28

ACLs to block OpenVPN client connections to specific VLAN

2024-02-09 22:41:41 - last edited 2024-02-18 01:56:19

Tags: #ACL #OpenVPN

Model: ER706W

Hardware Version: V1

Firmware Version: 1.0.3 Build 20240106 Rel.81532(4555)

Hi guys,

I don't have any more ideas what I'm doing incorrectly or what could be done differently so I would like to ask you for some help.

I have 3 VLANs on my ER70W router (IoT, Work, Home). This router is also hosting OpenVPN server for software clients (Windows, Android).

I would like to block access from OpenVPN clients to Home vlan. ALso I'm using OC200.

I'm setting it up in Gateway ACL section.

I've tried to do it with deny WAN IN as well as LAN to LAN . Using IP Groups, VLAN created for SoftVPN, not including Home network configuration in VPN Policy's Local Networks.

Nothing really works for me, I still can access Home VLAN from VPN client.

The only moment it worked for me, was when I was using ER706W in Standalone Mode and I was able to set rule: Block Access to Home from !Home.

But with OC200 I don't see an option to user ! in ALC configuration :(

How It should be configured properly? What I'm missing?

Best Regards :)

1 Accepted Solution

Clive_A

2024-02-14 08:55:02 - last edited 2024-02-18 01:56:05

Posts: 8362

Helpful: 4289

Solutions: 2178

Stories: 0

Registered: 2023-06-09

Re:ACLs to block OpenVPN client connections to specific VLAN-Solution

2024-02-14 08:55:02 - last edited 2024-02-18 01:56:05

@RaRu

RaRu wrote

@MR.S

Hi,

I have used that option in VPN settings, but with full tunneling it doesn't really work.

In full tunneling I have access to all VLANs, no matter what I set there (manually by IP/mask or network interface).

It does work properly when I switch to Split mode. Then this setting takes effect and block VLANs access properly.

I was thinking about SSL VPN but unfortunately I don't have a possibility to issue a certificate. Without valid cert, end-user receive a Warning Message about lack of cert for this connection, which I would like to avoid (questions from end-users / owner of the solution).

There is a clear difference in split and full tunnel. You should get a clear idea between them.

I think what you have written so far shows that your use case is different from what's meant to be for the router. You want to set up the proxy but the proxy means everything is forwarding through the VPN tunnel and which means you can access everything on the server end. And using its gateway for Internet access. That's what full tunnel means.

If you have tried that, that would simply explains the ACL is not effective to the VPN tunnel and routing.

Recommended Solution

7 Reply

RaRu

LV3

2024-02-09 23:03:19

Posts: 264

Helpful: 79

Solutions: 39

Stories: 0

Registered: 2024-01-28

Re:ACLs to block OpenVPN client connections to specific VLAN

2024-02-09 23:03:19

OK, I have found out, that "not including Home network configuration in VPN Policy's Local Networks" works when the configuration of OpenVPN server is set to Split Tunneling.

Is there a possibility to achieve the same (lack of access to one VLAN from Software VPN client) while using Full Tunneling?

Clive_A

2024-02-10 04:14:29

Posts: 8362

Helpful: 4289

Solutions: 2178

Stories: 0

Registered: 2023-06-09

Re:ACLs to block OpenVPN client connections to specific VLAN

2024-02-10 04:14:29

Hi @RaRu

RaRu wrote

OK, I have found out, that "not including Home network configuration in VPN Policy's Local Networks" works when the configuration of OpenVPN server is set to Split Tunneling.

Is there a possibility to achieve the same (lack of access to one VLAN from Software VPN client) while using Full Tunneling?

This is correct.

About the possibility in full tunneling, you might create a VLAN interface to match the OVPN pool IP, and set up the ACL and give it a try? I remember some time in the past I did something like this.

RaRu

LV3

2024-02-10 07:38:10

Posts: 264

Helpful: 79

Solutions: 39

Stories: 0

Registered: 2024-01-28

Re:ACLs to block OpenVPN client connections to specific VLAN

2024-02-10 07:38:10

@Clive_A

Thanks for reply.

Ye, ye. I found that post of yours and tried that as well but without luck. That's why I got confused and made this post :)

MR.S

LV5

2024-02-10 12:12:18

Posts: 2833

Helpful: 1012

Solutions: 398

Stories: 0

Registered: 2018-08-17

Re:ACLs to block OpenVPN client connections to specific VLAN

2024-02-10 12:12:18

@RaRu

you can choose which vlan to have here

MR.S

LV5

2024-02-10 12:13:36

Posts: 2833

Helpful: 1012

Solutions: 398

Stories: 0

Registered: 2018-08-17

Re:ACLs to block OpenVPN client connections to specific VLAN

2024-02-10 12:13:36

@RaRu

you can also use ssl vpn, then you have even more choice and control

RaRu

LV3

2024-02-10 12:32:00

Posts: 264

Helpful: 79

Solutions: 39

Stories: 0

Registered: 2024-01-28

Re:ACLs to block OpenVPN client connections to specific VLAN

2024-02-10 12:32:00

@MR.S

Hi,

I have used that option in VPN settings, but with full tunneling it doesn't really work.

In full tunneling I have access to all VLANs, no matter what I set there (manually by IP/mask or network interface).

It does work properly when I switch to Split mode. Then this setting takes effect and block VLANs access properly.

I was thinking about SSL VPN but unfortunately I don't have a possibility to issue a certificate. Without valid cert, end-user receive a Warning Message about lack of cert for this connection, which I would like to avoid (questions from end-users / owner of the solution).

Clive_A

2024-02-14 08:55:02 - last edited 2024-02-18 01:56:05

Posts: 8362

Helpful: 4289

Solutions: 2178

Stories: 0

Registered: 2023-06-09

Re:ACLs to block OpenVPN client connections to specific VLAN-Solution

2024-02-14 08:55:02 - last edited 2024-02-18 01:56:05

@RaRu

RaRu wrote

@MR.S

Hi,

I have used that option in VPN settings, but with full tunneling it doesn't really work.

In full tunneling I have access to all VLANs, no matter what I set there (manually by IP/mask or network interface).

It does work properly when I switch to Split mode. Then this setting takes effect and block VLANs access properly.

I was thinking about SSL VPN but unfortunately I don't have a possibility to issue a certificate. Without valid cert, end-user receive a Warning Message about lack of cert for this connection, which I would like to avoid (questions from end-users / owner of the solution).

There is a clear difference in split and full tunnel. You should get a clear idea between them.

If you have tried that, that would simply explains the ACL is not effective to the VPN tunnel and routing.

ACLs to block OpenVPN client connections to specific VLAN

ACLs to block OpenVPN client connections to specific VLAN

Information

Voters 0

Tags