Multiple OpenVPN Connections to different VLANs possible?

m91 · March 6, 2020, 5:59pm

Hi,

I’m looking for a new router and I’m very impressed of Turris Omnia - so I would going to buy one . There is only one thing I would ask to the community:
I saw that using Foris you can easily activate an OpenVPN Server what is great. Is there (maybe by using Luci) also the possibility to configure the router that one OpenVPN Connection routes to VLAN1 and an other OpenVPN Connections gets routed to VLAN2 so that I could give an access to a part of my network to some people and have an own access to the whole rest of my network?

Greetings,
m91

protree · March 6, 2020, 6:47pm

Hello,

in principle, it is possible to set up an Omnia like you describe. BUT this configuration is not covered by Foris nor by LuCI. I‘d call this an advanced network setup, which you‘d need to set up manually. Turris OS is based on OpenWRT so information you find on the internet covering a setup like you describe should also cover Turris Omnia (though there may still be some incompabilities).

I‘d also like to add that it is possible to give static ips to OpenVPN clients (not covered by Foris or LuCI), so you could omit splitting up your network in VLANs while still defining access to your local network for specific devices by using simple firewall rules.

m91 · March 7, 2020, 12:24pm

Hi and thank you for your reply!

Oh, you’re right, so maybe I have an error in my concept: my idea is to give an access to one network device in my network to some external persons that should not have access to the whole network. As second “problem” I can’t say to 100% that this device is safe from a IT security view (like other IoT devices are). Therefore that device should not be accessible from the net (as in a normal DMZ, therefor my idea with OpenVPN) nor should it be able to access my devices in my network.
Said that I would like also to access my whole network by using a second OpenVPN connection.

So maybe the VLAN idea isn’t ideal and I should block just the access from that device connected to one LAN port to the others and give access to one OpenVPN connection to exactly that device IP?

Do you think something like that is a better concept for this problem?

Greetings

krystof.k · March 4, 2022, 7:51pm

I was trying to figure out basically the same and I came up with a solution, which I’ve summarized into a guide.

Although I’m no expert in this and it was more trial and error, it seems to be working all right so far. Happy to hear some feedback.

mattventura · March 5, 2022, 7:35am

The VLAN idea is completely fine for what you want to do.

You need five firewall zones: WAN, LAN, DMZ, VPN1 (access to the single device), VPN2 (access to the whole LAN).

Allow connections from LAN to WAN, LAN to DMZ (if needed), and optionally LAN to VPN2. Allow access from VPN1 to DMZ.

I am doing a similar setup but in reverse - the router is the VPN client, connecting to multiple servers, with different VLANs on different VPNs.