How to enable OpenVPN access to ONLY the internal LAN

Question

I'm trying to setup an OpenVPN connection to a company server so that anyone working from home or is out of the office can access our internal resources.

I have the VPN setup correctly, using a guide on Digital Ocean's blog (written for 16.04).

I can connect from an outside line, ping the internal servers and devices and access their resources. This works great.

However, we want to limit the connection to only internal resources. We don't want to pass through an internet connection via the OpenVPN, which isn't the typical use for a VPN (masking connection, by-passing Geoblocking or just encrypting your connection).

Is this possible? I know obviously the VPN connection needs to be able to talk to the client, but outside this I want to block all connections to the web otherwise.

The server in question is also a VM running on another machine.

Once you connect to the target machine, you have all its capabilities. You'd have to keep it from accessing the internet. — Organic Marble, May 23 '16 at 12:59
But then how do I do that without blocking OpenVPN from polling on port 1194 for a connection which comes via the internet? — MattBoothDev, May 25 '16 at 16:10
So basically it's not possible to have a VPN that is accessible remotely, but cannot connect to the internet itself? — MattBoothDev, May 25 '16 at 16:12
I am no expert, but if you use a VPN to connect to a machine that can access the internet, you can access the internet. — Organic Marble, May 25 '16 at 16:18
I use VPNs daily to access private networks... When the VPN is created you get a new interface (vpnX). Connection to the VPN also changes the routing tables so that addresses corresponding to systems in the network connected to by VPN are routed through that interface. The rest is routed normally, so the VPN client machine can access both the Internet and the private network. But the VPN setup can define a more global routing so that all traffic is routed to the VPN, thus preventing the use of Internet. — xenoid, Jun 05 '16 at 01:13

Taavi · Accepted Answer · 2016-06-04T22:37:27.180

It is possible to just access the internal resources without internet connection, i think this is actually the usual scenario for using OpenVPN. So if you followed some guide to setup OpenVPN server, there were also some steps that allowed forwarding clients traffic to the internet, you'll need to undo those steps. I think you should start with commenting this line in server.conf

push "redirect-gateway def1 bypass-dhcp"

Then pushing a DNS server for clients should be disabled by commenting out lines that look like

    push "dhcp-option DNS xxx.xxx.xxx.xxx

Ofcourse you'll need to reload OpenVpn conf after making the changes.

    sudo service openvpn reload

And then disabling packet forwarding out to the internet

    echo 0 > /proc/sys/net/ipv4/ip_forward

And to make disabling forwarding permanent you'll also have to edit

    /etc/sysctl.conf

commenting line

    net.ipv4.ip_forward=1

By now i think clients shouldn't anymore be able to access the internet through VPN.

I also needed to remove the line push "block-outside-dns" – carl verbiest Apr 24 '19 at 05:34 — carl verbiest, Apr 24 '19 at 05:34
work great for me, Windows 10 (client), Ubuntun VM (server) – Chau Giang Mar 18 '20 at 17:32 — Chau Giang, Mar 18 '20 at 17:32

score 1 · Answer 2 · answered May 14 '18 at 15:39

1

I've solved it different way on client side

Windows: You have to open VPN connection settings Then Networking > TCP/IPv4 > Properties > Advanced - Disable "Use default gateway for remote networks" option

answered May 14 '18 at 15:39

Sergey Flakon

11

I actually used this solution on a totally different scenario as well, though prior to reading this! – MattBoothDev May 14 '18 at 16:02
1

I will leave the other answer as accepted because it's quite in depth but this is valid as well. – MattBoothDev May 14 '18 at 16:03

How to enable OpenVPN access to ONLY the internal LAN

2 Answers2

Linked