I currently have Mullvad VPN running on my dd-wrt flashed Nighthawk r8500. Mullvad incorporates ipv6.
First problem is that @ebigrad has noted my firewall rules are out of date and not current. My current rules are:
Code:
Set dev 0 in additional config on VPN settings: then:
# allow only outbound connections to the VPN (no inbound)
iptables -I INPUT -i tun0 -m state --state NEW -j DROP
iptables -I FORWARD -i tun0 -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
# block all access to the WAN by the LAN
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT
Apparently, these rules are bad. Could someone first please help me with applying the strictest of strict firewall rules (with mullvads use of ipv6 considered) so nothing is allowed to work outside the vpn.
Secondly, Mullvad allows port forwarding. However, you can’t specify the ports forwarded on mullvads end. It just chooses them randomly. That being said, (in addition to the updated firewall rules) I can’t for the life of me figure out how to get mullvad to forward its ports through my dd-wrt configuration and onto my desktop. When I remove the dd-wrt router, and plug directly into the soho router, then use the Mullvad desktop app to connect to Mullvad VPN, my forwarded Mullvad ports work perfectly. But when I connect the ddwrt router and run the vpn through that, using either the port forwarding instructions by mullvad:
“How to add a port to be forwarded to any client behind the router.
Code:
Replace 12345 with the port number you have been assigned.
iptables -t nat -I PREROUTING -i tun+ -p tcp --dport 12345 -j DNAT --to 192.168.1.5:12345 iptables -t nat -I PREROUTING -i tun+ -p udp --dport 12345 -j DNAT --to 192.168.1.5:12345
Code:
# port forward from the VPN and into the LAN
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 8081 -j DNAT --to 192.168.1.100:80
iptables -I FORWARD -i tun0 -p tcp -d 192.168.1.100 --dport 80 -j ACCEPT
Niether of the above work and mullvad shows my port status as blocked. Could someone please help me configure the following?
1) Proper Firewalll Configuration for Mullvad VPN (ipv6 considered)
2) Proper port forwarding configuration when forwarding Mullvad's ports form the Mullvad server end.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Mon Nov 12, 2018 9:37 Post subject:
Unfortunately there are not many forum members, like @Eibgrad, active, who know everything of firewalling, routing, scripting etc.
But I am happy to share what little I have learned the past few years.
The thread you have found is in my little book where I derive my (little) knowledge from, so you are almost there already yourself.
About the firewall rules you are mentioning, there is an option in the GUI to enable "Firewall Protection" and as @Eibgrad already noted that does not do much.
DDWRT as a standard uses TUN1 for the open VPN client, so basically the first thought is to add extra firewall rules to block TUN1 (as @d0ug suggests), however that does not work, as the OpenVPN client takes some time to start it inserst a firewall rule to accept everything from TUN1 and the first rule is executed first.
So the solution is to specify in the additional config of the OpenVPN client:
Code:
dev tun0
So the tunnel is using TUN0 and then the rules from @eibgrad start to work.
To use port forwarding your VPN provider have to open up their firewall, assign you a port and forward it.
Some VPN provider give you a fixed port others will give yo a random port when you connect. I am using PIA which has an API to get your forwarded port, in the past I assisted @EIbgrad to use that API and to incorporate it in a script to use with DDWRT (documentation available on request ).
Let's assume Mullvad assigned you port 12345 and you want to route to port 8081 at client 192.168.1.99.
Now open up your firewall with the FORWARD rule and send it to your client and port (the actual forwarding) with the DNAT rule which is on the PREROUTING chain
# port forward from the VPN and into the LAN
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 12345 -j DNAT --to 192.168.1.89:8081
iptables -I FORWARD -i tun0 -p tcp -d 192.168.1.99 --dport 8081 -j ACCEPT
So the key for all this to work is to specify "dev tun0" in the additinal config of the VPN client
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Fri Nov 16, 2018 15:38 Post subject:
egc wrote:
Unfortunately there are not many forum members, like @Eibgrad, active, who know everything of firewalling, routing, scripting etc.
But I am happy to share what little I have learned the past few years.
The thread you have found is in my little book where I derive my (little) knowledge from, so you are almost there already yourself.
About the firewall rules you are mentioning, there is an option in the GUI to enable "Firewall Protection" and as @Eibgrad already noted that does not do much.
DDWRT as a standard uses TUN1 for the open VPN client, so basically the first thought is to add extra firewall rules to block TUN1 (as @d0ug suggests), however that does not work, as the OpenVPN client takes some time to start it inserst a firewall rule to accept everything from TUN1 and the first rule is executed first.
So the solution is to specify in the additional config of the OpenVPN client:
Code:
dev tun0
So the tunnel is using TUN0 and then the rules from @eibgrad start to work.
To use port forwarding your VPN provider have to open up their firewall, assign you a port and forward it.
Some VPN provider give you a fixed port others will give yo a random port when you connect. I am using PIA which has an API to get your forwarded port, in the past I assisted @EIbgrad to use that API and to incorporate it in a script to use with DDWRT (documentation available on request ).
Let's assume Mullvad assigned you port 12345 and you want to route to port 8081 at client 192.168.1.99.
Now open up your firewall with the FORWARD rule and send it to your client and port (the actual forwarding) with the DNAT rule which is on the PREROUTING chain
# port forward from the VPN and into the LAN
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 12345 -j DNAT --to 192.168.1.89:8081
iptables -I FORWARD -i tun0 -p tcp -d 192.168.1.99 --dport 8081 -j ACCEPT
So the key for all this to work is to specify "dev tun0" in the additinal config of the VPN client
I can not help with the IPv6, I do not use it.
EDIT:
Start with portforwardig and if it is working then add the firewall rules.
I only showed tcp port but depending on what you want you also need udp port. To begin I would do both tcp and udp, just copy rules and substitute tcp with udp
Unfortunately, Port forwarding doesn't work even with all firewalls disabled. I'm also looking at the error log on the router and there seems to be quite a bit. Which makes me think its possible that I'm not using the right build. Do you have any suggestions for a stable build that works with the r8500? Or any other suggestions as to proper port forwarding rules? Maybe something we are overlooking?
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sat Nov 17, 2018 8:34 Post subject:
You have introduced many variables with the script and extra firewall rules.
You might consider resetting to defaults (and if you do so, perhaps use the latest Kong Build: http://www.desipro.de/ddwrt/K3-AC-Arm/TEST/
Erase nvram, put settings in manually.
Start with minimum configuration do not use a script or extra firewall rules.
Do a basic GUI setup of the openVPN client to Mullvad and check if port forwarding is working.
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Sun Nov 18, 2018 21:03 Post subject:
egc wrote:
You have introduced many variables with the script and extra firewall rules.
You might consider resetting to defaults (and if you do so, perhaps use the latest Kong Build: http://www.desipro.de/ddwrt/K3-AC-Arm/TEST/
Erase nvram, put settings in manually.
Start with minimum configuration do not use a script or extra firewall rules.
Do a basic GUI setup of the openVPN client to Mullvad and check if port forwarding is working.
If it works is take it from there.
So I tried all of this, with the previeous firmware, and then updated to v3.0-r37015M, still with the exact same results. It seems that as soon as I put the word tun (tun0,tun1,etc) in the firewall script, that no matter what my working vpn connection immediately becomes blocked. I set up my vpn connectino after a firmware update and clean reset, eliminating any firewall configs, and the VPN worked fine. As soon as I enter some firewall configs, specifically the port forwarding ones you posted, or, the ones that mullvad instructions give on their dd-wrt "how-to", my ability to access the internet terminates, although in the routers vpn status, it shows "Connected" still, with a blank remote address if I use dev tun0, and a remote address of 10.14.0.11 (same as the local address) if I use the default dev tun1. So it seems like when I input the firewall rules to forward the ports on a certain tunnel, that somehow it instead blocks internet access to the ip address that the port is supposed to be forwarded to. I'm at an utter loss and have spent way too much time on this. I wish someone like ebigrad could step in here and throw some expert guidance my way. ANy more ideas are still appreciated though! _________________ DanRanRocks - Tech Tutorials by Dan Ran
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Mon Nov 19, 2018 15:07 Post subject:
egc wrote:
Yes it can sometimes be very frustrating, especailly as it is hard to imagine how port forwarding rules can block your internet (unless you do not preroute one port but all ports).
Please post the portforwarding rules you are using so that we can have look at them
I put “dev tun0” in additional config of vpn client settings, then changed my computers ip that I am trying to forward the port to to a static ip of 192.168.55.101. Mullvad is forwarding the port 17809 on their end of things. The only sets of rules I tried in the firewall without any other rules are:
As soon as I enter either sets of these rules, my internet connection is blocked, however, my routers VPN status still shows connected, with a blank remote address. Thank you so much for all of your help btw! Very frustrating! _________________ DanRanRocks - Tech Tutorials by Dan Ran
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Mon Nov 19, 2018 22:46 Post subject:
egc wrote:
Unfortunately the rules look alright to me, I had hoped there was an error in the rules, but I can not see one.
I even tried the rules on my own router and it appears to work.
The Mullvad rules are the same the + is a wildcard for any number that match the interface.
Sorry I can not be more helpfull, if you ever find out what the problem is, I will be interested hearing it.
Well dang. I think I just bricked my router anyway. Uploading old firmware. Great. But I just ordered a usb ttl cable so maybe I can unblock it. In any event, what do the rest of your configuration settings look like on your working router? Particularly your ipv6 settings? My instincts are telling me that it might have something do do with how mullvad handles ipv6 (Orr dd-wrt handles them). Any other settings you may have would be a plus too. I'm going to figure this out once I unblock myself. _________________ DanRanRocks - Tech Tutorials by Dan Ran
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Sat Dec 08, 2018 15:10 Post subject:
egc wrote:
I use PIA and they specifically instruct me to disable IPv6 , obedient as I am I did
So I can not help you with that
So I've been forced to come at this from a different angle. I bought a Linksys Wrt-1200AC router, flashed it with v3.0-r37736 firmware, purchased a month of PIA, and thought I was set. However, turns out, that when searching for PIA port forwarding instructions, I can't really find anything that isn't outdated, or makes sense. Seems like they have a script that you are supposed to run in order to forward ports but most people in the PIA forums say that it doesn't work with DD-WRT, or at the very least, it needs to be modified, and optware needs to be installed. Might you be able to tell me just exactly how you got port forwarding to work with PIA? I don't see any options to assign a specific port in PIA's login page or anything. Any help would definitely be appreciated! _________________ DanRanRocks - Tech Tutorials by Dan Ran
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sat Dec 08, 2018 17:11 Post subject:
Well good news, bad news and very good news.
The good news is that it can be done using DDWRT and you do not need to install entware (in the first iteration of the script that was necessary but not any more)
The bad news is that you need a USB stick with a /jffs partition.
The very good news is that there is a ready made script which (with some help of @Bushant and myself) is made by @Eibgrad to use with PIA port forwarding. This can be found at:
https://pastebin.com/P9nmpyxh
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Tue Dec 11, 2018 3:43 Post subject:
egc wrote:
Well good news, bad news and very good news.
The good news is that it can be done using DDWRT and you do not need to install entware (in the first iteration of the script that was necessary but not any more)
The bad news is that you need a USB stick with a /jffs partition.
The very good news is that there is a ready made script which (with some help of @Bushant and myself) is made by @Eibgrad to use with PIA port forwarding. This can be found at:
https://pastebin.com/P9nmpyxh
Thank you so much for the response. So far, I haven't had time to look into this yet, but will do so soon, and most likely get back to you with more questions. Again, thanks a ton! _________________ DanRanRocks - Tech Tutorials by Dan Ran
Posted: Thu Apr 04, 2019 23:31 Post subject: Have we determined proper config for IPV6 over Mullvad VPN?
I'm not currently trying to port forward, but I have a WRT32X with dd-wrt, and I am trying to find out if IPV6 still has DNS leak issues or other security issues when on VPN...
Mullvad says IPV6 is good to go over their VPN service, whereas other VPN providers apparently do not support it yet, hence the security risks of leaving it enabled.
I have tested for IPV6/DNS leaks via the following websites, and it does not appear that anything is leaking. Although some of them will say "OMG IPV6 is leaking!!!", the IPV6 address is Mullvad's, so those are false positives from poorly implemented leak checkers I suppose, because I do not see my ISP in the results. Having an IPV6 address != IPV6 leak, but this seems to be the logic of some of these Leak Test sites. I haven't vetted these links...click at your own risk.
With that last website, I was able to see a list of all open ports, which I am assuming are the open ports on Mullvad's end. Since I am not asking Mullvad to forward any ports to me, I am assuming these open ports do not affect me, unless I have some misconfiguration somewhere...
Port Protocol Name Description
1022 TCP exp2 RFC3692-style Experiment 2 (*) [RFC4727]
5759 TCP Unknown Unknown
12661 TCP Unknown Unknown
13616 TCP Unknown Unknown
17669 TCP Unknown Unknown
25306 TCP Unknown Unknown
28938 TCP Unknown Unknown
I can't find the thread right now, but my concern is simply due to this old post by spuriousoffspring, which I think may either be not current or not applicable to Mullvad, but hopefully someone can confirm that for me...
spuriousoffspring wrote:
I'm not sure if the latest firmware update includes an option to disable ipV6. This is a major security flaw that I made Linksys aware of months ago before I returned my WRT32X.
If there is the option to disable ipV6 then make sure to do so when you have OpenVPN Client enabled.
If there is not, then just be aware that your location is still being sent.
So anyway
I have dd-wrt installed on WRT32X. Currently using
a) Mullvad VPN config file on mobile OpenVPN app
b) Mullvad desktop app
Plan to in future use any of the following
a) WireGuard Server/Client running within dd-wrt on WRT32X
b) OpenVpn Server/Client running within dd-wrt on WRT32X
c) Do a) and/or b) with Mullvad (client) or run my own (server)
Once I get Mullvad working with OpenVPN client on my router, or if I ever switch to my own VPN server running on the router, I will also need to allow some devices to connect via clearnet, and only certain devices on my network will use the VPN. So I will need Policy Based Routing to specify how each device should connect.
Previously I have tried to follow Mullvad's VPN Client Setup Guide for dd-wrt routers, and I was able to get it working, but when I tried implementing PBR, everything broke. So now I'm back to running Mullvad App or OpenVPN on each device instead of router.
So what are the most up to date instructions for locking down the router security-wise given my situation and with regard to IPV6 and DNS leaks? I would like to know the proper firewall configuration to make sure that I am not exposing my network in any of the above situations, whether client or server, and whether I'm running VPN on router or individual devices.
Also, one final question: is it trivial to implement an inception-style Mullvad VPN client on device (with Mullvad or OpenVPN app) routed through another VPN tunnel running as OpenVPN Server on my router? I have read that there are correct and incorrect ways of going about this, but I'm a bit overwhelmed by the technical nature of the information I'm finding, as I'm a total dd-wrt noob. Ultimately I would like for my router to be my own OpenVPN or WireGuard server, with PBR to separate clients that do not need VPN, and the ability to tunnel through the tunnel with a paid VPN service (because this option just seems super secure if a bit paranoid and hurtful to performance).
Sorry in advance if I am asking questions previously answered elsewhere, or if this is too off topic from the OP. I am new here, but I hope you can see that I am trying to do my own research first before I determine that I'm stumped.