I'm basically trying to create a subnet for my wlan that can access the internet and nothing else, however vpn clients can access the lan via a bridged openvpn interface. Is this possible? I tried searching the forums but came up with nothing. Thanks for the anticipated help.
Date: 13 Feb 2011 21:44
Number of posts: 8
RSS: New posts
I mean to do this on the same routerr not use 2 different routers.
I'm not going to say it is impossible, but it does sound tricky. Generally VPN is used to connect two private networks, not to restrict access within the same network. Chances are the default vpn rules are configured to expect that, so you are probably going to have to figure out enough to do the scripting by hand…
You can definitely have two subnets. I have several subnets. I have one on 192.168.255.255 and one on 172.31.255.255. I use the two different subnets so I can allow internet connections on one and NFS connections on the other. The fact that one has no routing rules adds a small amount of security. However, I don't really have a way to prevent someone from configuring either address on the network. Which sounds like what you want.
The default rules for VPN are going to expect one end to by a WAN, which is why I say you'll probably have to manually configure it. To prevent the subnets from being able to talk to each other directly, you'll have to isolate each connection to your router so they cannot directly talk to each other. Again this should be possible with firewalls and multiple subnets. Just sounds like a royal pain in the neck, anyone with physical access will be able to bypass simply by plugging in a switch. I've seen this type of thing done in corporations where they want to allow visitors to access the internet but not the intranet without vpn, but generally they use separate routers and switches so there is no possibility of direct communication without physical access to a locked room.
To get started try first setting up the separate subnets for each port:
Since each port is on it's own subnet, they can only talk to each if the wiring is physically modified to have a switch other than the router ports, or a routing rule is added to the router.
I would create one subnet with no ports associated with it. That would be the subset you would want to be served by for VPN server. Since there are no ports the only way to get into it is a VPN login. Presumably, since any client can login to that subnet they can then talk to each other on that subnet.
If need be you could modify this approach, and have a some ports on your "VPN". That would give you the ability to physically plug something into that subnet without a VPN login.