OpenVPN server setup guide by egc

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3 ... 10, 11, 12
Author Message
Alkap
DD-WRT Novice


Joined: 04 Mar 2020
Posts: 9

PostPosted: Sat Mar 07, 2020 10:45    Post subject: Reply with quote
egc wrote:
Although the order in which rules are executed is important, it is not in this case.

To be sure I used -I to insert the rule so that it will be executed first, but as said in this case it does not matter

Smile


Okay, and thank you for everything and your quick replies. My little knowledge is bigger now and my setup runs exactly how I want.
Excepting upnp/dlna, everything works (I know I can't get dlna working over tun vpn).

File closed on my side. Have a nice W.E.
You are a king !

Regards from Belgium.
Sponsor
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5324
Location: Texas

PostPosted: Sat Mar 07, 2020 10:49    Post subject: Reply with quote
egc wrote:
on Atheros it is eth0


ummm.... just to jump in --- (Atheros) Netgear WNDR3700v4 WAN is vlan2
AND
(more or less Atheros) QCA IPQ8064 Linksys EA8500 WAN always been vlan2 ...not sure about others
Code:
mrjcd@Will-Be-Was:~$ ssh root@citadel-station-homeworld.mrjcd.com
DD-WRT v3.0-r42634 std (c) 2020 NewMedia-NET GmbH
Release: 03/07/20
Board: Linksys EA8500
==========================================================
 
     ___  ___     _      _____  ______       ____  ___
    / _ \/ _ \___| | /| / / _ \/_  __/ _  __|_  / / _ \
   / // / // /___/ |/ |/ / , _/ / /   | |/ //_ <_/ // /
  /____/____/    |__/|__/_/|_| /_/    |___/____(_)___/
                                                     
                       DD-WRT v3.0
                   http://www.dd-wrt.com
 
==========================================================


BusyBox v1.31.1 (2020-03-07 01:05:19 +03) built-in shell (ash)

root@Citadel-Station-Homeworld:~# echo WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
WAN_IF=vlan2
root@Citadel-Station-Homeworld:~# nvram get wan_ifname
vlan2
root@Citadel-Station-Homeworld:~# get_wanface
vlan2
root@Citadel-Station-Homeworld:~#

alright then ...carry on Razz
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6230
Location: Netherlands

PostPosted: Sat Mar 07, 2020 11:06    Post subject: Reply with quote
Amazing the EA8500 is not that different from the R7800 but that one has eth0 as WAN interface
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5324
Location: Texas

PostPosted: Sat Mar 07, 2020 11:21    Post subject: Reply with quote
egc wrote:
Amazing the EA8500 is not that different from the R7800 but that one has eth0 as WAN interface

yea, that is also one reason why it was much easier to create VLANs on it few years back that were understandable to most everyone. Laughing
I think most now have the R7800 figured out now though.
AND your rule
Code:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE
should take care of them all anyways ....good job Wink
ChrisRex
DD-WRT Novice


Joined: 23 Dec 2015
Posts: 12

PostPosted: Sat Mar 28, 2020 18:44    Post subject: Re: OpenVPN server setup guide by egc Reply with quote
egc wrote:
OpenVPN Server Setup guide


Your remarks and corrections are more than welcome.
.....


Thanks for the great guide!
While I had the OpenVPN Server working before finding your guide, it has helped me great deal in understanding things and making things more secure.

With regard later builds and the CVE-2019-14899 patch -
I think this patch adds DROP to the vpn subnet in iptables PREROUTING; and your guide's 2nd option

Code:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT


inserts above the DROP an ACCEPT with same parameters?
Does this effectively disable the mitigation? Is it doing the same thing as ticking 'disable' on the web GUI in builds that have that option? Or, is keeping the CVE mitigation enabled doing more than the prerouting drop rule?

Thanks again EGC for your guide and all your help!!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6230
Location: Netherlands

PostPosted: Sat Mar 28, 2020 19:48    Post subject: Re: OpenVPN server setup guide by egc Reply with quote
ChrisRex wrote:
egc wrote:
OpenVPN Server Setup guide


Your remarks and corrections are more than welcome.
.....


Thanks for the great guide!
While I had the OpenVPN Server working before finding your guide, it has helped me great deal in understanding things and making things more secure.

With regard later builds and the CVE-2019-14899 patch -
I think this patch adds DROP to the vpn subnet in iptables PREROUTING; and your guide's 2nd option

Code:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT


inserts above the DROP an ACCEPT with same parameters?
Does this effectively disable the mitigation? Is it doing the same thing as ticking 'disable' on the web GUI in builds that have that option? Or, is keeping the CVE mitigation enabled doing more than the prerouting drop rule?

Thanks again EGC for your guide and all your help!!


OK, good question and will try to explain Smile

Yes that rule has to come above the DROP rule, so it has to be inserted after the DROP rule is in place and that is precisely the problem.
It takes some time before the OVPN runs and the DROP rule is added, you can of course manually, after boot up, add that rule and it will work, but if anything changes and the firewall or VPN restarts it will not work again so you actually need a script running that takes care of this, and I have not come around to make that.

Another possibility is adding the rule to the route up script, but you cannot override the route-up script, I have made a patch to do this but that was not accepted by our main developer Sad

To answer your question this rule does not do the same as disabling the patch.
You can be attack only from a source which is directly connected to your router so from your LAN side or directly from your WAN, e.g. if your ISP modem/router or the patch panel in the street is hacked.

This rule opens up an attack vector on your LAN side but on the WAN side it still stays closed.
So if yo have a tight grip on your LAN (like separating IoT on a different subnet etc.) the risk is minimal.

That said the risk is very small, I have the CVE 14899 patch disabled, but I live in a free country and I am a law abiding citizen, my hacking days are over although I still have Kali linux running Wink

Hope that answers your question

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ChrisRex
DD-WRT Novice


Joined: 23 Dec 2015
Posts: 12

PostPosted: Sun Mar 29, 2020 1:13    Post subject: Re: OpenVPN server setup guide by egc Reply with quote
Thank you for taking the time to explain!
I really really appreciate it.

I had to set up another router today, and was pulling my hair out as something was not right and I was buggy-eyed trying to find out what I was doing wrong.

Well, on some of my (Windows network) setups, I use a machine that's always on running VisualSyslog Server 1.6.4 to get the router's syslog output - (and have it set up so it emails everytime there's an attempt whether successful or not to log on to the vpn). After few unsuccessful hours of trying to figure out what I was doing wrong, I decided to put a notebook that I have running VisualSyslog on the router and it didn't take more than a few minutes to realize the dumb mistake(s) I was making - the VPN server was never running (Status/VPN) - and the first thing I was doing wrong was I had put a bad address in for the Network (I had like 10.8.0.1 instead of ending in .0)! Anyway, maybe someone else will get idea of the VisualSyslog - which is opensource but orphaned I think - it would be nice if get some more development as it never has report with the right (local) time - maybe it's GMT, but never my time zone...
Here's link:
https://maxbelkov.github.io/visualsyslog/


egc wrote:

OK, good question and will try to explain Smile

Yes that rule has to come above the DROP rule, so it has to be inserted after the DROP rule is in place and that is precisely the problem.
It takes some time before the OVPN runs and the DROP rule is added, you can of course manually, after boot up, add that rule and it will work, but if anything changes and the firewall or VPN restarts it will not work again so you actually need a script running that takes care of this, and I have not come around to make that.

Another possibility is adding the rule to the route up script, but you cannot override the route-up script, I have made a patch to do this but that was not accepted by our main developer Sad

To answer your question this rule does not do the same as disabling the patch.
You can be attack only from a source which is directly connected to your router so from your LAN side or directly from your WAN, e.g. if your ISP modem/router or the patch panel in the street is hacked.

This rule opens up an attack vector on your LAN side but on the WAN side it still stays closed.
So if yo have a tight grip on your LAN (like separating IoT on a different subnet etc.) the risk is minimal.

That said the risk is very small, I have the CVE 14899 patch disabled, but I live in a free country and I am a law abiding citizen, my hacking days are over although I still have Kali linux running Wink

Hope that answers your question
[/url]
Alkap
DD-WRT Novice


Joined: 04 Mar 2020
Posts: 9

PostPosted: Tue Mar 31, 2020 8:31    Post subject: Reply with quote
@egc, I'm not sure to understand exactly how to reach securely my lan over openvpn. Probably my English language lack.

I disabled the mitigation patch and added your rule into firewall. Now my firewall looks like this :
Code:
### Nat OpenVPN subnet with lan subnet (Version 2) ###
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"

iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o $WAN_IF -j MASQUERADE

iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE


But now, with this additional rule, all my lan is is exposed on the web (ports 53, 22 etc...).

Did I miss something ?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6230
Location: Netherlands

PostPosted: Tue Mar 31, 2020 8:56    Post subject: Reply with quote
Alkap wrote:
@egc, I'm not sure to understand exactly how to reach securely my lan over openvpn. Probably my English language lack.

I disabled the mitigation patch and added your rule into firewall. Now my firewall looks like this :
Code:
### Nat OpenVPN subnet with lan subnet (Version 2) ###
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"

iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o $WAN_IF -j MASQUERADE

iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE


But now, with this additional rule, all my lan is is exposed on the web (ports 53, 22 etc...).

Did I miss something ?


If you disable the CVE mitigation patch in the GUI (which I also do as the risk is not that great), you do not need the second rule with -o bro

However this should not have anything to do with exposing your lan

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alkap
DD-WRT Novice


Joined: 04 Mar 2020
Posts: 9

PostPosted: Tue Mar 31, 2020 9:16    Post subject: Reply with quote
egc wrote:
If you disable the CVE mitigation patch in the GUI (which I also do as the risk is not that great), you do not need the second rule with -o bro

However this should not have anything to do with exposing your lan
Okay, now it's more clear, I understood the other way around.

I did a test with one machine and can't access it over VPN but following your reply, with more investigation, it's cause of a it's firewall issue. Other machines are reachables I apologize.

I did other tests with and without this rule and I confirm all the lan is exposed over the web with mitigation unchecked and this rule in DD-WRT Firewall. Think to add a warning about it into your fantastic PDF (?)

Without this line, my lan is protected.

Again, many thanx Smile
avalx
DD-WRT Novice


Joined: 23 Nov 2017
Posts: 5

PostPosted: Sat Apr 11, 2020 16:42    Post subject: Reply with quote
I'm trying to make OpenVPN to work on my network but until now I haven't succeeded completely.

I have a Netgear R7000 with DD-WRT v3.0-r42819 std (03/30/20), my local lan network is 10.55.66.0 and my local domain is 'lan'. I'm trying to connect from my phone over mobile network with OpenVPN for Android client.

So here are some different configurations and results. I have always CVE-2019-14899 Mitigation disabled and the firewall rule is as per instructions in the guide. Also Additional config is:
ncp-disable
dh none
ecdh-curve secp384r1

1. Redirect default Gateway is set to Enabled
Results:
- client connected OK
- I cannot access anything, not Internet not local lan (either by name or IP)
- in the OpenVPN log on client there is a warning about "No DNS servers being used", so this might mean something

2. Redirect default Gateway is set to Disabled and I put some push commands in Additional Config:

push "route 10.55.66.0 255.255.255.0 vpn_gateway"
push "dhcp-option DNS 10.55.66.1"
push "dhcp-option DOMAIN lan"

Also I added interface tun2 to the Dnsmasq Options

Results:
- client connected OK
- access to Internet OK
- access to local lan with browser not working (not name nor IP address); also some other programs accessing local resourses are not working.
- BUT:I can ping local host via name and IP address and I can connect to my Linux server via ssh (ConnectBot)

Anybody has any idea what might be wrong with my configuration?
Goto page Previous  1, 2, 3 ... 10, 11, 12 Display posts from previous:    Page 12 of 12
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum