Hi
I’m using an AR300M with OpenVPN to connect to a remote network. The wireless access point is of course secured, so only those with the WPA2 password can access it, and hence the VPN connection. However, I’m not always physically present with the router, meaning that if someone physically plugged into the ethernet port on the device they could access the remote network via the VPN without any authentication at all.
Is it possible to isolate the ethernet ports on the router so that (1) I can still access the set-up UI for the router if necessary but (2) it’s not possible to access the VPN by directly plugging in?
Thanks
Andrew
alzhao
2
Yes that is possible. But you have to separate the wireless and LAN into two networks.
You need to ssh to the router and edit the configuration files directly.
In /etc/config/network, add a lan1 network for wifi
config interface lan1
option proto dhcp
In /etc/config/wireless, change network for wifi to lan1
config wifi-iface
option network ‘lan1’
In /etc/config/dhcp, enable dhcp for lan1
In /etc/config/firewall, create a new zone for lan1, and enable data forwarding from lan1 to WAN.
Sorry there is some configurations and I cannot give you exact detail before I try.
To isolate the ethernet ports on the route and keep it can still access the set-up UI needed to modify the routing table.
And AR300M-lite only have a port used for wan, maybe it’s more suit for you
Many thanks for your help.
Can I check which lan the OpenVPN network is bound to?
If I want to keep the wifi able to access OpenVPN, does that interface need to stay assigned to the existing lan network?
Then I would create a second lan (called say lan2), and assign the physical ethernet port to that and make any changes to the routing table to allow lan2 to access the UI? If I’ve understood correctly, you’re saying that lan2 would not be able to access the OpenVPN network.