Maybe you want to access your home LAN while out, but you don't want your kid's phone to access your LAN. If he loses that phone and it isn't passworded, someone could (theoretically) find the phone, pull the certificate off, access your VPN, and then access files on your home LAN.
In this case, you'd like most users' traffic to be permitted to travel through the router on its way to the internet, but not to travel to your LAN; you want the same for traffic from your laptop, but you also want that traffic to be able to reach your LAN devices. Maybe your kid needs to work on his homework on his PC when you're at Grandma's, and you want to remote control his PC from your laptop using VNC.
I'm going to describe how to do this on an ASUS router running OpenVPN with 'Merlin' firmware. Merlin has some special capabilities which make this easier. Doing this on a Pi is similar, but some of the interfaces will have different names.
Let's begin by blocking access to your LAN for all VPN users. Executing this command on your server will block access to the LAN:
iptables --insert FORWARD --in-interface tun21 --out-interface br0 -s 10.0.0.0/8 -d 192.168.0.0/16 -j DROP
To make this permanent, add the iptables command to a file on the router named /jffs/scripts/firewall-start.
When you ran build-key, you ran a command line like:
The name you supplied becomes the X509 Common Name (CN) in your key. In this case, the common name will be "user-key03". Conveniently, when you look in ~/Packages/easy-rsa/keys_xxxxx, you'll see a file with a name like 'user-key-3.crt'. The file name of your certificate (less the ".crt") matches the CN inside the file.
On the router:
mkdir /jffs/configs/openvpn/ccd1/ mkdir /jffs/configs/openvpn/ccd2/
Create a file on the router in the ccd1 directory named "user-key-3" (or whatever Dad's CN is). In this file put something like:
ifconfig-push 10.8.0.50 255.255.255.0
That will assign Dad's laptop the IP address 10.8.0.50. When a client connects, OpenVPN matches the common name against files in the per-client config directory. If it finds a match, it loads that file as an extension of the OpenVPN file for the current client. Our command pushes the IP address to the client.
Now edit /jffs/scripts/firewall-start and make it look like this: iptables --insert FORWARD --in-interface tun21 --out-interface br0 -s 10.0.0.0/8 -d 192.168.0.0/16 -j DROP iptables --insert FORWARD --in-interface tun21 --out-interface br0 -s 10.8.0.50 -d 192.168.0.0/16 -j ACCEPT
(You need the lines in that sequence because each one adds a rule to the top of the file, and you need your ACCEPT to override your DROP.)
At this point, you should restart your router and confirm that these rules are in place via: "iptables -L FORWARD -v". Then test it with Dad's certificate and with someone else's certificate.
You really ought to ensure that no one else can get Dad's address. To do that, the end you need to accomplish is:
I can think of one way to accomplish this:
It looks like you can assign static IP with an 'ifconfig-pool-persist' option, instead of per-client config (if the only per-client config you're doing is to set static IP). However, I've read of people having trouble getting it to work and, as I read things, the server can update this file, which would be a bad idea for your VPN security if it surprises you with an update.