I have an OpenVPN server running on my router (my routers Tomato firmware includes OpenVPN). When away, I connect my laptop via VPN and have access to my home LAN. All works well.

What I want to add now, is have my sons router act as a VPN client to my VPN server. That should be easy enough to set up (his router runs Tomato also, and that includes VPN client). But I want his home LAN VPN'ed to my home LAN with very restricted access. Specifically, I want him to only be be able to access the DLNA media server on one of my home computers.

I am looking for suggestions of how best to accomplish this.

I was thinking of using iptables (also included in my routers Tomato firmware). I could possibly use this to allow my laptops MAC address, and ONLY my laptops MAC address, full access to my home LAN, and block all other MAC addresses access to my LAN except to the IP/Port(s) of the DLNA media server. I'm not really worried about MAC spoofing, because before even hitting the firewall rules, you'd have to be successfully VPN'ed in already.

The reason why I'm wanting to limit access is to protect my home network from potential viruses and other malware that could existing on my sons LAN. He runs what security software I tell him on his computer, so I feel he himself is pretty safe, but he does have friends that hook up their unknown laptops to his WiFi. I known, bad idea, but it's his house and his network.

I have considered and ruled out simply opening up my DLNA server to him using port forwarding. VPN is much more secure than port forwarding.

Does anyone have suggestions for better ways to implement the connection and security I'm after? Thanks in advance!

I'm not familiar with VPN's, but using iptables should permit this
I've also minimal experience with forwarding (router) setup of iptables, but this should get you started.

iptables mac matching
https://www.frozentux.net/iptables-t....html#MACMATCH

If you only want yourself to be able to access the server from one MAC address
If I read you right, you want anyone in your vpn to be able to access the media server, but nowhere else.

-s = source ips or everything in LAN; -d destination ip (the media server) --dport destination ports
Ajust ip & port ranges as needed.

This link may be helpful as well
https://www.frozentux.net/iptables-tutorial/chunkyhtml/

Thanks for the reply Miati. I am now checking into the idea of not using the MAC address, but rather the VPN server that is used. The firmware on my router allows two different VPN servers, given interface names of "tun21" and "tun22". I can set up iptables rules based on which interface is used by the VPN client. I would use tun21 myself, and have full access to my LAN. And I would have my son (and any other VPN'ers I allow in the future) use tun22 which would have very restricted access. Anyway, I'm still deciding on the best path. But as of right now, I think I'm starting to like basing things on the interface used, not the MAC address.

why not just forward the port for your media server? You can probably do that using native router functions.

Don't get me wrong, IPTABLES is great but if you only want him getting web or one service from your LAN, why not just set a port forwarding rule to handle it?

There are two reasons.

(1) I don't want just anybody to get to my media server. Port forwarding would allow that. I could use iptables to provide some protection however. But VPN provides a more secure way of managing external users. Also, see (2) below.

(2) The media server I use, Plex Media Server, will require authentication if accessed from outside your LAN. This is hard coded into it. This authentication has to come from external Plex servers (owned by the company, not me). They call this a "Plex Account". I don't like a middle-man providing my security. As a matter of fact, there was a significant flaw within the last year in what Plex was doing that allowed unauthorized access. The fix was an immediate upgrade to their software. This illustrates exactly what I am afraid of when turning over security to a 3rd party. Plex is a media company, not a security company. So it is almost predictable that they would fall flat on their face regarding security issues. With VPN I can put external users on my LAN, thus bypassing the need to get Plex the 3rd party involved in authentication. My authentication is "you have to be successfully VPN'ed in the first place, and it's not easy to VPN into somebodys system that doesn't want you." Using VPN takes Plex (the 3rd party) totally out of the authentication process.

IMO, I don't like giving giving auth authority to external sources when controlling my own hardware!

Is there a reason you're using Plex? Seems like it's the weak-link. Perhaps use Network File System (NFS), Samba (CIFS), or good ol' SSH.
Samba would work best if anyone is using windows.

Since you're setup with coverage so that anyone trying to access would be in LAN and would otherwise be restricted, NFS & Samba would work well (SSH sftp works good anywhere )

Media servers go far beyond simple file sharing mechanisms. That's why I use Plex. It's actually quite good, except for the security part. I imagine its security is at least as good as other products, which to me, is not saying much. I prefer to control my own security. If keep up to date, I trust OpenVPN, OpenSSH, OpenSSL and ... well, I guess that's pretty much it. I do also use NoMachine NX, but that runs on top of SSH/SSL handling the security part of things.