this post was submitted on 22 Oct 2024
2 points (66.7% liked)
networking
2824 readers
2 users here now
Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
At the very least you will need to allow it to route VPN traffic on that port, otherwise your VPN connection won't work and/or won't be re-established.
I want it to drop all connections if it is not on the vpn.
It can never be on the VPN if the outer, encrypted VPN packets are not allowed on the connection. I mention it because it is one of the more complex bits to handle about your requirement, depending on if you always connect to the same IP via VPN or need to connect to a dynamic peer, possibly one you need to look up via DNS first.
The router will need to look up the IP address of the vpn server using DNS. None of the other clients on the LAN should be doing that. Point is I only want the other client devices to have access to the outside world if the VPN is connected. If it is somehow disconnected, I don’t want those other LAN client devices to access the internet.
Ah, so you don't care about software running locally on the router being able to access things without the VPN but do care if routed traffic does? You might also want to consider if the router offers services like a caching DNS server, a HTTP or SOCKS proxy,... that might look like local traffic to the network layer because a local process initiates connections at the instruction of some other system.