Isolate OpenVPN from physical ethernet ports


I’m using an AR300M with OpenVPN to connect to a remote network. The wireless access point is of course secured, so only those with the WPA2 password can access it, and hence the VPN connection. However, I’m not always physically present with the router, meaning that if someone physically plugged into the ethernet port on the device they could access the remote network via the VPN without any authentication at all.

Is it possible to isolate the ethernet ports on the router so that (1) I can still access the set-up UI for the router if necessary but (2) it’s not possible to access the VPN by directly plugging in?



Yes that is possible. But you have to separate the wireless and LAN into two networks.

You need to ssh to the router and edit the configuration files directly.

In /etc/config/network, add a lan1 network for wifi

config interface lan1

option proto dhcp


In /etc/config/wireless, change network for wifi to lan1

config wifi-iface

option network ‘lan1’

In /etc/config/dhcp, enable dhcp for lan1

In /etc/config/firewall, create a new zone for lan1, and enable data forwarding from lan1 to WAN.

Sorry there is some configurations and I cannot give you exact detail before I try.


To isolate the ethernet ports on the route and keep it can still access the set-up UI needed to modify the routing table.

And AR300M-lite only have a port used for wan, maybe it’s more suit for you

Many thanks for your help.

Can I check which lan the OpenVPN network is bound to?

If I want to keep the wifi able to access OpenVPN, does that interface need to stay assigned to the existing lan network?

Then I would create a second lan (called say lan2), and assign the physical ethernet port to that and make any changes to the routing table to allow lan2 to access the UI? If I’ve understood correctly, you’re saying that lan2 would not be able to access the OpenVPN network.