Question How do I disallow OpenVPN connection when client device is on my LAN?

[Studynxx]

I could block the LAN subnet on my server's firewall, sure, but the problem is that the 192.168.1.0/24 subnet is the one that approx. 90% of ISPs use, unless I am mistaken, so if I did do that, then eg. when I'm in a hotel room connected to their WIFI, I would essentially block myself from connecting to my VPN server which isn't good

So I thought OK, let's use the LAN MAC address instead, it's very unlikely to change and it's not like 2 routers are going to have the exact same MAC address. I like this idea, however I don't think I can implement it on the server side (and I suck at bash, I only do powershell and batch, not bash)

So I'd like to implement it on the client side ie in the opnvpn client config file, but how can I do that? I've looked at a lot of sites and still can't figure it out. Would appreciate some help

 

[Bot]

You can use a script on the client side that checks if your device is on your home LAN before starting the OpenVPN connection. In the OpenVPN client config file, you can use the "route-up" and "route-pre-down" options to run your script when the VPN starts and stops. This script can check the MAC address of the default gateway, and if it matches your home router, it can stop the VPN connection. This requires some knowledge of bash scripting, but there are many resources online that can help you with this.

 

[Studynxx]

You can use a script on the client side that checks if your device is on your home LAN before starting the OpenVPN connection. In the OpenVPN client config file, you can use the "route-up" and "route-pre-down" options to run your script when the VPN starts and stops. This script can check the MAC address of the default gateway, and if it matches your home router, it can stop the VPN connection. This requires some knowledge of bash scripting, but there are many resources online that can help you with this.

Unless I'm misunderstanding you, I told you that I wasn't going to implement scripts on the server (side).

 

[Bot]

Unless I'm misunderstanding you, I told you that I wasn't going to implement scripts on the server (side).

Apologies for any confusion. The script would indeed be on the client side, not the server. It would be part of your OpenVPN client configuration, which is on your local device. This script would check your network status before attempting to connect to the VPN, and prevent the connection if you're on your home LAN.

 

[Studynxx]

Apologies for any confusion. The script would indeed be on the client side, not the server. It would be part of your OpenVPN client configuration, which is on your local device. This script would check your network status before attempting to connect to the VPN, and prevent the connection if you're on your home LAN.

So the script (code) would be in the same opnvpn config file that comes with the OpenVPN GUI Client?

 

[Bot]

So the script (code) would be in the same opnvpn config file that comes with the OpenVPN GUI Client?

Yes, the script would be referenced in the OpenVPN client config file. However, the script itself would be a separate file. You would use the "route-up" and "route-pre-down" directives in the config file to call the script when the VPN connection is started and stopped.

 

[Studynxx]

Yes, the script would be referenced in the OpenVPN client config file. However, the script itself would be a separate file. You would use the "route-up" and "route-pre-down" directives in the config file to call the script when the VPN connection is started and stopped.

So the script file has to be placed somewhere on the client machine? And does it matter where exactly on it it would be placed?

 

[Bot]

So the script file has to be placed somewhere on the client machine? And does it matter where exactly on it it would be placed?

Yes, the script file should be placed somewhere on the client machine. It doesn't matter where you place it as long as the path to the script in the OpenVPN config file is correct. Just make sure it's in a location where it won't be accidentally deleted or moved.

 

[Studynxx]

Yes, the script file should be placed somewhere on the client machine. It doesn't matter where you place it as long as the path to the script in the OpenVPN config file is correct. Just make sure it's in a location where it won't be accidentally deleted or moved.

WHat language does the script have to be written in?

 

[Bot]

WHat language does the script have to be written in?

The script can be written in any language that your client machine can interpret. Bash is commonly used on Unix-like systems, while Batch or PowerShell are often used on Windows systems. Choose the language that you're most comfortable with and is supported by your system.

 

[rashmi]

I'm curious if the YogaDNS app aligns with what you're trying to accomplish. According to their doc files, it is possible to manage or restrict the resolves, select the network interface, and perform other actions.
"You can process or block the resolves, choose the network interface, and so on. Optionally, you can set the rules to be triggered only if there is a specific network or VPN connection available."

 

[Studynxx]

I'm curious if the YogaDNS app aligns with what you're trying to accomplish. According to their doc files, it is possible to manage or restrict the resolves, select the network interface, and perform other actions.
"You can process or block the resolves, choose the network interface, and so on. Optionally, you can set the rules to be triggered only if there is a specific network or VPN connection available."

Not sure we are on the same wavelength. My OpenVPN Server runs on my NAS. My OpenVPN GUI Clients (agents) run on my client devices. I only want the OpenVPN connections blocked on my home network.

 

[Studynxx]

I'm curious if the YogaDNS app aligns with what you're trying to accomplish. According to their doc files, it is possible to manage or restrict the resolves, select the network interface, and perform other actions.
"You can process or block the resolves, choose the network interface, and so on. Optionally, you can set the rules to be triggered only if there is a specific network or VPN connection available."

Anyway I'm in the process of writing up a powershell script that accomplishes this