Separate Firewall zones for multiple OpenVPN client connections in RutOS

I have a new RUTX50 (firmware RUTX_R_00.07.07.3) with multiple OpenVPN connections as client (tun interfaces). How can I separate these to create different Firewall rules for each? I have created separate LAN interfaces for each. For example:
A - [vpn2home] gets IP 172.22.0.6 - full tunnel, LAN interface [lan2home]. I would like to route all traffic for users through this VPN to the remote server network.
B - [vpn2work] gets IP 172.22.0.101 - split tunnel, LAN interface [lan2work]. I would like to route only remote server network traffic through the VPN tunnel, AND allow remote users to access the RUTX admin console and SSH.
C - [vpn2fam] gets IP 172.21.0.3 - split tunnel, LAN interface [lan2fam]. I would like to route only remote server network traffic through the VPN tunnel and BLOCK remote user access to RUTX admin console and SSH.

I see tun_c_vpn2home, tun_c_vpn2work, and tun_c_vpn2fam are created when the connections are established, but when specifying a Firewall Zone only [openvpn] is available as a zone, and it aggregates all the tun interfaces. How can I separate these? Create a bridge for each? Define as a device in /etc/config/network?

I am using client-config-dir files on the remote servers, and have the ability to change settings on all openvpn client and server devices.

Thank you in advance.

I forgot to mention, I’m setting the following VLANs for each respective LAN:
A - [vpn2home] 10.10.10.0/24
B - [vpn2work] 10.10.20.0/24
C - [vpn2fam] 10.10.30.0/24

I realize this a complex configuration, and I am still growing my familiarity with Linux networking. Based on this howto page it appears one of the following options should work:

  1. Bridge configuration: use one bridge [openvpn] for interface, then use ccd-based ifconfig-push and push route settings for each openvpn client network (A, B, C), plus firewall rules on the openvpn server allowing/blocking access based on the source LAN IP subnet. Firewall traffic rules on the RUTX should also be set to block communication between LANs A, B, and C, and to allow/block access to the RUTX management site & SSH.
  2. Manually create interfaces [ifVpn2home, ifVpn2work, ifVpn2fam] in /etc/config/network using the below structure, then define Firewall zones using those interfaces.
config interface 'ifLan5'
        option area_type 'lan'
        option proto 'none'
        option device '[tun_c_vpn2home|tun_c_vpn2work|tun_c_vpn2fam]'
        option name '[ifVpn2home|ifVpn2work|ifVpn2fam]'
        option force_link '1'

Anyone have suggestions?

This topic was automatically closed after 15 days. New replies are no longer allowed.