Restrict VPN clients on Lan

Discussion in 'Tomato Firmware' started by oneglory, Sep 25, 2018.

  1. oneglory

    oneglory New Member Member


    I have a workstation at home that I use for work related activities. When I'm at home I just use RDP and it's great, but when I'm at work or anywhere else I'm forced to use Teamviewer which, because I need to transfer files a lot, isn't ideal. Recently, my co-workers on my team need access to this workstation as well. I have a R7000 with Advanced Tomato and a VPN setup and it's working fine for myself however, I don't want the VPN client's roaming around the rest of my LAN inhibited.

    Is there a way to restrict the VPN clients on TUN to a single destination IP (workstation)? I can't find anything that's like what I need here or else where on the internet, I'm an IPtables amateur.

    Any help would be appreciated!
  2. Sean B.

    Sean B. Network Guru Member

    Assign the VPN to a different subnet than your home LAN ( IE: home LAN = , VPN = ). Then add two iptables rules, one allowing access to the single workstation and another denying access to everything else in Administration->Scripts firewall tab in the GUI. For example, if the workstation IP is

    iptables -t filter -I FORWARD 1 -s -d -j ACCEPT
    iptables -t filter -I FORWARD 2 -s -d -j DROP
    Keep in mind, you still need to secure the workstation. As in configure user permissions and access appropriately, otherwise your coworkers could simply use the workstation itself to access other clients on your LAN, as there would be no way to tell who's controlling that workstation from a network standpoint.
  3. rs232

    rs232 Network Guru Member

    I assume you're talking about OpenVPN. If so specify your LAN IPs as source/destination into the Routing Policy tab.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice