Posted: Sat May 25, 2019 1:13 Post subject: Question about iptables firewall command
I am using firewall commands that I found on a forum to ensure that all traffic passing through my router is being sent out over OpenVPN. It seems to work okay after some testing. In my firewall rules there are 5 iptable commands, one per line. I understand the first three lines but not the fourth and fifth lines. They are as follows:
I have read the iptables man page and I believe I understand the first 3 commands. The first command I believe forwards all traffic from br0 to tun0 and the second command does the same thing in reverse. This should ensure all traffic goes out over the VPN assuming br0 is my ethernet ports and wifi connections. The third command seems to DROP or reject any traffic from br0 to vlan2 assuming vlan2 is my WAN. This should prevent any traffic from accidentally going out using my real ip address.
I do not understand line 4 and 5. It looks like 4 is rejecting input from tun0, but I don't really know what that means or why it keeps me safe. As for line 5, it seems like MASQUERADE has something to do with ip spoofing using the nat table, but I cannot understand really what is happening here or why it also keeps me safe. Can someone explain these two commands to me in terms I can understand? There is only so much I can understand from the syntax.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sat May 25, 2019 16:13 Post subject:
eibgrad, is your post of two years ago recommending tun0 and some explicit firewall rules to prevent inbound new connections over the vpn no longer relevant? See https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=307445
I have your scheme of that post implemented in my router, just in case, though I admit I haven't established with testing that I actually need it (with NordVPN). I wasn't crystal clear on how to do that testing. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
I assume you're using the OpenVPN client GUI. And if you are, the OpenVPN client GUI provides all the necessary firewall rules you need to make it operational. It's all done automatically, under the covers. In addition, by default, it uses the network interface name of "tun1", and uses that name to configure its firewall rules. But if you overrode that in Additional Config w/ "tun0", then you've broken the auto-generated firewall rules, thus requiring the need to create your own.
Why would you do that?
I setup the OpenVPN client using the GUI provided in DD-WRT v3.0-r37015M kongac. I did not override tun1 in the additional config. My additional config is as follows:
I did not know that OpenVPN used dev tun1, thank you for telling me. Why can't I just change tun0 to tun1 in the iptable commands I showed you? Are you saying that using those iptable commands overrides the OpenVPN firewall settings? Why is the firewall command you showed me better than what I have? I still want to know what the commands are doing so I can know why they are good or bad.
Once you start overriding things, that's when mistakes happen. Esp. if you don't know why you're doing it. I see many ppl add firewall rules or dump things into Additional Config which then breaks the OpenVPN client. At least when first trying to get the connection established, resist the temptation to add *anything* beyond the basic GUI elements. In your case, most of what you specified in Additional Config is already in the OpenVPN config file generated by the router. Once the OpenVPN client is enabled, you can go to a shell (telnet/ssh) and examine the config file to see for yourself.
Code:
cat /tmp/openvpncl/openvpn.conf
Once things are working, you can fiddle with firewall rules and additional directives all you like. But then you're on your own. And if things break, you always have a working config to return back to.
As far as the rules you specified, as I said, by default, the router uses tun1 as the network interface. So adding firewall rules based on tun0 is not going to be effective. You would minimally have to override the use of tun1 by adding the following to Additional Config.
Code:
dev tun0
But this is pointless, and needlessly requires you to add your own firewall rules. And that assumes you understand all those rules, which you specifically indicated was NOT the case in your opening post.
There's also a subtle problem in simply changing your own firewall rules to use tun1.
The router uses the OpenVPN scripting engine to install its own firewall rules, specifically using the route-up directive and a special script called by OpenVPN at the correct time in the connection process. As such, the router *always* gets the last say in how the firewall wall is configured. As a result, if you add your own firewall rules to the firewall script, they will have NO EFFECT because those firewall rules are added FIRST, then the router via its own scripting in OpenVPN places its own firewall rules ahead of yours!
Again, that's the problem w/ messing around w/ your own firewall rules and changes to Additional Config. We tell ppl to NOT do this for good reasons. You can easily break things because of issues like the above.
That's not to say you can't supplement the router's firewall rules when appropriate. For example, if you want to add a kill switch.
Code:
# block all access to WAN by clients behind router
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -o $WAN_IF -j REJECT
In summary, avoid messing w/ your own firewall rules and additions to Additional Config, at least until you get it working. Then if you have specific questions or needs beyond what the default configuration is able to provide, we'll be happy to discuss it.
In accordance with your advice, I have deleted all my custom firewall rules and replaced them with the kill switch you provided. I also deleted the additional config lines from my OpenVPN GUI client. After rebooting the router from the Administration tab, the VPN is working fine. I then added the letter "a" to the remote ip of the OpenVPN client to test the kill switch. After applying changes, I was unable to access the internet so it appears the kill switch is working. I removed the "a" from the remote ip, applied changes and the VPN is working fine and showing the correct ip address when using an ip lookup tool.
Next I used the cat command you provided to view the OpenVPN config. It contains the following:
Like you said, it already contains by default some of the additional config lines recommended by my VPN provider that I had specified before. Now that I have deleted my additional config, I can tell which ones aren't there by default. The following additional config lines recommended by my provider are not in the config file by default:
Personally, I would leave things as they are. Many times the VPN provider suggests things that aren't really necessary, or even make sense in some cases. And sometimes things are not as they seem to appear.
Quote:
--client
A helper directive designed to simplify the configuration of OpenVPN's client mode. This directive is equivalent to:
pull
tls-client
The above is a direct pull from the OpenVPN documentation (something I recommend everyone should read to better understand what all these directives actually do). In the case of the client directive, that's just a help directive that results in the generation of the pull and tls-client directives. So the fact you don't see "pull" and "tls-client" in the router's config file, but instead "client", doesn't mean you need to add "pull" and/or "tls-client".
Or consider the remote-random directive. That's only relevant if you are specifying more than one remote directive in the config file. By default, the GUI only provides the ability to specify one remote (i.e., Server IP/Name). But you can add remote directives in Additional Config so the OpenVPN client has more server options than simply the one and only remote specified in the GUI.
Once you do, the remote-random directive makes sense; it scrambles the list of servers for load balancing purposes. Personally, I prefer to NOT use this directive and use the default; sequentially run through the servers as specified in the config file.
I'm not going to run through all the rest of the directives, but as I said, you can research these yourself using the OpenVPN documentation. It will take some time and effort, but it's well worth it to understand how OpenVPN actually works.
Thank you for your help and the resources, I promise I will read that whole OpenVPN man page soon.
If I wanted to add 5 different remote addresses and use the remote-random directive to switch between them, what lines could I safely add to the config?
Lastly, when I use the lsof command on the laptop I'm connecting with to see ports being used by certain applications, I get a strange output. I can see the domain name of my non-VPN router which connects to the ISP and internet. The output looks like this (I only included one line):
Code:
root@*****:~# lsof -i -P | grep tor
tor 1542 debian-tor 10u IPv4 27732 0t0 TCP *****.gateway.*****.net:41540->janus.fsnet.io:9001 (ESTABLISHED)
Considering my DD-wrt router is plugged into the router whose name I am seeing here, how is it possible with your killswitch for my machine to derive the name of that router. The domain name is identical to the one displayed in DD-WRT under /Status_Router.asp, WAN Domain Name. Is DD-WRT serving my machine this information? Is this something to be worried about? If so, can I fix it?
As far as the kill switch, notice the comment I added. It *only* prevents clients *behind* the router from gaining access to the WAN. Since the router is managing the OpenVPN client connection over the WAN, it obviously has to have access over the WAN. Not to mention the ability to manage the WAN w/ the ISP.
I understand what you're saying, but since I ran the lsof command on my laptop OS and not on dd-wrt, how can it see the gateway domain name? It makes sense to me that dd-wrt has to manage the OpenVPN client connection over WAN, but shouldn't the laptop tunneling through without knowing the WAN domain name?
As for additional config, this is what I have now based on our conversation. It appears my provider does use the same certs for every server. Hurray:
It all depends on how you configure the Services page.
You're always going to have a domain name, either from the WAN or the LAN. By default, the domain name is grabbed from the WAN (ISP), but if you specify LAN & WLAN in Used Domain, you're expected to provide your own in the box below it (e.g., local).
So it's not that the clients behind the router are somehow working their way over the WAN for this information. The DHCP server is providing this information to them, depending on how the Used Domain option is configured.
Obviously, in most cases, esp. when you're behind a NAT router w/ a private network, using your own domain makes more sense.
Thank you for all the tips. Wonderful to learn that the domain name is just passed down by dd-wrt. I think I have everything the way I want it now.
I used the domain name field in General Setup to make my laptop see what I wrote instead. It worked.
