How to block mobile openvpn connection when already connected to local network

M0L50N · Sep 7, 2021, 9:09 PM

Hi,

I need to know if there's a way to avoid a user to connect to mobile openvpn client when his laptop is already connected to our LAN in the office? That cause me some double entries in my DNS server and other network problem.

Thanks for any suggestions!

JKnott · Sep 7, 2021, 9:23 PM

@m0l50n

Perhaps you could create a rule that blocks OpenVPN from connecting from the local LAN.

M0L50N · Sep 8, 2021, 8:46 PM

@jknott :) simple like that. I dont know why I didn't think about that! I was searching an option in openVPN!! :)

Thanks!

akuma1x · Sep 8, 2021, 8:46 PM

@m0l50n said in How to block mobile openvpn connection when already connected to local network:

@jknott :) simple like that. I dont know why I didn't think about that! I was searching an option in openVPN!! :)

Thanks!

So, did it work? I would like to setup something similar to what you're trying to do. I've got mobile (laptop) users that do the same thing, while in the office on the trusted wireless LAN network... :(

JKnott · Sep 8, 2021, 9:24 PM

@akuma1x

Does it connect automagically? In both Linux and Windows, I have to manually enable the VPN. Regardless, it should be easy enough for you to try.

akuma1x · Sep 9, 2021, 3:42 PM

@jknott No, not automatically. The laptop machines have an OpenVPN program that launches at startup, the user has to manually click the "connect" button. From being out of the office for a year, some of them are still thinking that they have to click the button, even while they are physically sitting at their desk in the office.

Rico · Sep 9, 2021, 4:26 PM

I feel you, IT support would be so nice without the Users...doing weird things all day long you could never think about. ;-)
A firewall rule to block traffic hitting your OpenVPN server from the LAN interface works just fine here.

-Rico

JKnott · Sep 9, 2021, 6:04 PM

@akuma1x

At work, a couple of years ago, I came across something similar. For some reason, several people thought they had to connect to the guest WiFi, instead of the regular WiFi and then VPN in. This was before the pandemic though.

M0L50N · Sep 10, 2021, 5:01 PM

Effectively, in It support we always have to use imagination for different solution for the dumbest users! :)

I've didn't implement and test the solution, but I'm sur it will works!!!

Thanks all and have a good day!