search

peacey / split-vpn

A split tunnel VPN script for Unifi OS routers (UDM, UXG, UDR) with policy based routing.
GNU General Public License v3.0
816 stars 56 forks source link

Firewall LAN rule into "VPN"-Network #167

Open n3roGit opened 1 year ago

n3roGit commented 1 year ago

Hi, I have a question about your super script.

I was able to get it to run without any problems. I have built a separate network on the UDM with its own VLAN ID. I set this in the config with "FORCED_SOURCE_IPV4="192.168.66.0/24" as source for my VPN. This works perfectly so far.

But now I would like to access the IPs in the network 192.168.66.0/24 with a rule from my primary network. Unfortunately this does not work as soon as the VPN is up. Do you have a tip, what I have to do here?

peacey commented 1 year ago

Hi @n3roGit,

You need to add the local subnets you want to be able to access to EXEMPT_DESTINATIONS_IPV4, or else by default everything goes out the VPN including local traffic.

Please try that and see how it goes.

Thanks!

n3roGit commented 1 year ago

@peacey perfect this works so far. So that I understand it correctly. The firewall rules of the UDM no longer have any function when I use your script? After the adjustment, I can now access the new VPN network. However, this now goes in both directions. I want to separate this network completely. nothing should be able to go out. only the access to the vpn.

peacey commented 1 year ago

The UDM explicitly forwards only its interfaces to the GUI ruleset. Any additional interfaces you add in command line won't automatically use those Unifi rules. You have two options: you can either add your own custom iptables rules in command line, or you can add the VPN interface to use the Unifi rules so the GUI rules apply to the VPN too.

If you want to make the VPN use the Unifi rules, you can add this snippet to the bottom of your vpn.conf:

hooks_up() {
    iptables -A FORWARD -i $DEV -j UBIOS_LAN_IN_USER
    iptables -A FORWARD -o $DEV -j UBIOS_LAN_OUT_USER
    iptables -A INPUT -i $DEV -j UBIOS_LAN_LOCAL_USER
    ip6tables -A FORWARD -i $DEV -j UBIOS_LAN_IN_USER
    ip6tables -A FORWARD -o $DEV -j UBIOS_LAN_OUT_USER
    ip6tables -A INPUT -i $DEV -j UBIOS_LAN_LOCAL_USER
}

hooks_down() {
    iptables -D FORWARD -i $DEV -j UBIOS_LAN_IN_USER || true
    iptables -D FORWARD -o $DEV -j UBIOS_LAN_OUT_USER || true
    iptables -D INPUT -i $DEV -j UBIOS_LAN_LOCAL_USER || true
    ip6tables -D FORWARD -i $DEV -j UBIOS_LAN_IN_USER || true
    ip6tables -D FORWARD -o $DEV -j UBIOS_LAN_OUT_USER || true
    ip6tables -D INPUT -i $DEV -j UBIOS_LAN_LOCAL_USER || true
}

Then you will be able to use the Unifi GUI to define rules for this VPN network. But note that the rules are only about blocking/allowing traffic. They do not define what gets forwarded or exempted from the VPN, which you need to use FORCED_* and EXEMPT_* variables for in vpn.conf.