@Aadrem said in 🔒 OpenVPN: Allow Internet via WAN IP but Block LAN Access (Hybrid Split/Full Tunnel):
push "route 0.0.0.0 128.0.0.0";
push "route 128.0.0.0 128.0.0.0";
This is the same as checking "redirect gateway".
This setup behaves like a split tunnel, so the client continues using its local internet connection.
No, it adds routes to the client for the whole IPv4 range. This is not split tunneling.
The client will only be able to access devices within his local subnet, but any other traffic will be routed over the VPN, and this is what you need in fact.
I already have other VPNs configured as full tunnel, so I cannot apply restrictive firewall rules globally, as that might affect those existing VPNs.
You can restrict the rule for pass traffic to WAN / block local subnets to the clients source IP.
You can also assign an interface the the respective OpenVPN server. Then you get a firewall rule tab, where you can add rules for this instance only.
If you only want to allow internet access it's a good advice to create an alias, which includes all private network ranges like this:
d4dab693-0eb8-4b58-99da-109081f6e881-grafik.png
Then you can use it as destination in firewall rules, either in a pass rule with "invert match" checked to restrict the rule to non-private networks only, or in a block rule followed by an allow-any rule.