Hi,
I did set-up a openvpn server on my router. /etc/config/network contains the
interface definition:
config interface 'vpn'
option proto 'none'
option ifname 'tun1'
In /etc/config/firewall, I've the following definitions related to vpn, lan and
wan:
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan_6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
option conntrack '1'
config zone
option name 'vpn'
option network 'vpn'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow OpenVPN Inbound on wan'
option src 'wan'
option proto 'tcpudp'
option dest_port '1194'
option extra '-m conntrack --ctstate NEW'
option target 'ACCEPT'
config forwarding
option src 'vpn'
option dest 'wan'
config rule
option name 'Block NetBios from vpn to wan'
option src 'vpn'
option dest 'wan'
list dest_port '135'
list dest_port '137-139'
list dest_port '445'
list dest_port '3389'
option proto 'tcpudp'
option target 'DROP'
This are not the complete firewall definitions, but it doesn't exist any other
rule with the zone or network vpn.
I did not define any forwarding rule between vpn and lan. The lan ip range is
192.168.x.x. and a client, which is
connected to the openvpn server, gets an ip address from the range 10.8.y.y.
From an openvpn client, I can access the
web interface of the router via 192.168.x.1. Why is this possible?
Regards,
Hartmut
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
