ANSWERED Leak prevention in a dual router setup

[lambrusco 1]

I'm new to AirVPN and have been setting up a dual router configuration with a recently-acquired TomatoUSB router. Here's what I've done so far:

 

I have an old Netgear router that interfaces to my ISP over ADSL2. This gives me my "open" subnet (192.168.0.xxx) where my non-sensitive traffic originates. Let's call this router 1.

I have just installed a new Linksys router with TomatoUSB (v1.28) which is going to run my OpenVPN client. Let's call this router 2.

The WAN port of router 2 connects to a LAN port of router 1 and is allocated a static IP address on this subnet (say 192.168.0.2).

The LAN ports of router 2 of course give me my "closed" subnet (192.168.1.xxx) where my sensitive traffic originates.

Without the OpenVPN client running on router 2, any computer on the closed subnet has full access to the Internet via router 1 and my public IP address on this subnet is the one provided to me by my ISP.

I have configured the OpenVPN client on router 2 as per the instructions given on the Enter page of this site.

The VPN starts up fine, my connection shows up on the AirVPN Client pages and my public IP address on the closed subnet is the one mapped to me by AirVPN.

All good so far ... but this is where it starts to get interesting.

 

I want to lock down my closed subnet so that there is no leakage if (or rather when) the VPN disconnects (which it seems to do quite often).

I have therefore configured two outgoing firewall rules in router 1: the first *allows* UDP connections on port 443 from router 2 (192.168.0.2) to the AirVPN server of my choice (as defined in the OpenVPN configuration); and the second *blocks* all other outgoing traffic from router 2.

These rules are designed to allow the tunnel to pass through router 1 but deny all other traffic from router 2.

With these firewall rules in place, the VPN tunnel appears to carry on working without any problem.

However .. if the VPN disconnects, it will not restart.

The only way that I can get the VPN to restart is to disable the above blocking rule.

Once I do that, the VPN restarts immediately and becomes operational.

Once it is operational, I can re-enable the blocking rule and the VPN carries on regardless.

 

It therefore appears to me that establishing the VPN requires the OpenVPN client to make a connection other than the tunnel connection defined in the OpenVPN configuration and it is this connection that my rule is blocking and hence preventing the VPN from starting.

 

Can anyone tell me:

1. Is my analysis of the situation correct? And if so,

2. What are the details of this other connection so that I may add another *allow* rule to my firewall to let this connection proceed?

 

Any help would be much appreciated.

 

[Av3ngeme 0]

Very interested in this as I'm going to be doing something very similar in the near future.

[lambrusco 1]

Well, since I wrote this note my VPN has disconnected and reconnected several times without issues and that's with the blocking rule in place.

So I don't know what the problem was but I don't seem to have it anymore so I'm happy.

 

Av3ngeme, I'm fairly new to this but I'm learning fast so if you think I may be able to help you out, PM me.

My biggest drama and subsequent success was forwarding a port through the VPN.

The story of that is told in this thread: https://airvpn.org/topic/14134-port-forwarding-through-vpn-on-router/

 

Regards to you all.