ummm.... just to jump in --- (Atheros) Netgear WNDR3700v4 WAN is vlan2
AND
(more or less Atheros) QCA IPQ8064 Linksys EA8500 WAN always been vlan2 ...not sure about others
Amazing the EA8500 is not that different from the R7800 but that one has eth0 as WAN interface
yea, that is also one reason why it was much easier to create VLANs on it few years back that were understandable to most everyone.
I think most now have the R7800 figured out now though.
AND your rule
Posted: Sat Mar 28, 2020 18:44 Post subject: Re: OpenVPN server setup guide by egc
egc wrote:
OpenVPN Server Setup guide
Your remarks and corrections are more than welcome.
.....
Thanks for the great guide!
While I had the OpenVPN Server working before finding your guide, it has helped me great deal in understanding things and making things more secure.
With regard later builds and the CVE-2019-14899 patch -
I think this patch adds DROP to the vpn subnet in iptables PREROUTING; and your guide's 2nd option
Code:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT
inserts above the DROP an ACCEPT with same parameters?
Does this effectively disable the mitigation? Is it doing the same thing as ticking 'disable' on the web GUI in builds that have that option? Or, is keeping the CVE mitigation enabled doing more than the prerouting drop rule?
Thanks again EGC for your guide and all your help!!
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Sat Mar 28, 2020 19:48 Post subject: Re: OpenVPN server setup guide by egc
ChrisRex wrote:
egc wrote:
OpenVPN Server Setup guide
Your remarks and corrections are more than welcome.
.....
Thanks for the great guide!
While I had the OpenVPN Server working before finding your guide, it has helped me great deal in understanding things and making things more secure.
With regard later builds and the CVE-2019-14899 patch -
I think this patch adds DROP to the vpn subnet in iptables PREROUTING; and your guide's 2nd option
Code:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT
inserts above the DROP an ACCEPT with same parameters?
Does this effectively disable the mitigation? Is it doing the same thing as ticking 'disable' on the web GUI in builds that have that option? Or, is keeping the CVE mitigation enabled doing more than the prerouting drop rule?
Thanks again EGC for your guide and all your help!!
OK, good question and will try to explain
Yes that rule has to come above the DROP rule, so it has to be inserted after the DROP rule is in place and that is precisely the problem.
It takes some time before the OVPN runs and the DROP rule is added, you can of course manually, after boot up, add that rule and it will work, but if anything changes and the firewall or VPN restarts it will not work again so you actually need a script running that takes care of this, and I have not come around to make that.
Another possibility is adding the rule to the route up script, but you cannot override the route-up script, I have made a patch to do this but that was not accepted by our main developer
To answer your question this rule does not do the same as disabling the patch.
You can be attack only from a source which is directly connected to your router so from your LAN side or directly from your WAN, e.g. if your ISP modem/router or the patch panel in the street is hacked.
This rule opens up an attack vector on your LAN side but on the WAN side it still stays closed.
So if yo have a tight grip on your LAN (like separating IoT on a different subnet etc.) the risk is minimal.
That said the risk is very small, I have the CVE 14899 patch disabled, but I live in a free country and I am a law abiding citizen, my hacking days are over although I still have Kali linux running
Posted: Sun Mar 29, 2020 1:13 Post subject: Re: OpenVPN server setup guide by egc
Thank you for taking the time to explain!
I really really appreciate it.
I had to set up another router today, and was pulling my hair out as something was not right and I was buggy-eyed trying to find out what I was doing wrong.
Well, on some of my (Windows network) setups, I use a machine that's always on running VisualSyslog Server 1.6.4 to get the router's syslog output - (and have it set up so it emails everytime there's an attempt whether successful or not to log on to the vpn). After few unsuccessful hours of trying to figure out what I was doing wrong, I decided to put a notebook that I have running VisualSyslog on the router and it didn't take more than a few minutes to realize the dumb mistake(s) I was making - the VPN server was never running (Status/VPN) - and the first thing I was doing wrong was I had put a bad address in for the Network (I had like 10.8.0.1 instead of ending in .0)! Anyway, maybe someone else will get idea of the VisualSyslog - which is opensource but orphaned I think - it would be nice if get some more development as it never has report with the right (local) time - maybe it's GMT, but never my time zone...
Here's link:
https://maxbelkov.github.io/visualsyslog/
egc wrote:
OK, good question and will try to explain
Yes that rule has to come above the DROP rule, so it has to be inserted after the DROP rule is in place and that is precisely the problem.
It takes some time before the OVPN runs and the DROP rule is added, you can of course manually, after boot up, add that rule and it will work, but if anything changes and the firewall or VPN restarts it will not work again so you actually need a script running that takes care of this, and I have not come around to make that.
Another possibility is adding the rule to the route up script, but you cannot override the route-up script, I have made a patch to do this but that was not accepted by our main developer
To answer your question this rule does not do the same as disabling the patch.
You can be attack only from a source which is directly connected to your router so from your LAN side or directly from your WAN, e.g. if your ISP modem/router or the patch panel in the street is hacked.
This rule opens up an attack vector on your LAN side but on the WAN side it still stays closed.
So if yo have a tight grip on your LAN (like separating IoT on a different subnet etc.) the risk is minimal.
That said the risk is very small, I have the CVE 14899 patch disabled, but I live in a free country and I am a law abiding citizen, my hacking days are over although I still have Kali linux running
If you disable the CVE mitigation patch in the GUI (which I also do as the risk is not that great), you do not need the second rule with -o bro
However this should not have anything to do with exposing your lan
Okay, now it's more clear, I understood the other way around.
I did a test with one machine and can't access it over VPN but following your reply, with more investigation, it's cause of a it's firewall issue. Other machines are reachables I apologize.
I did other tests with and without this rule and I confirm all the lan is exposed over the web with mitigation unchecked and this rule in DD-WRT Firewall. Think to add a warning about it into your fantastic PDF (?)
I'm trying to make OpenVPN to work on my network but until now I haven't succeeded completely.
I have a Netgear R7000 with DD-WRT v3.0-r42819 std (03/30/20), my local lan network is 10.55.66.0 and my local domain is 'lan'. I'm trying to connect from my phone over mobile network with OpenVPN for Android client.
So here are some different configurations and results. I have always CVE-2019-14899 Mitigation disabled and the firewall rule is as per instructions in the guide. Also Additional config is:
ncp-disable
dh none
ecdh-curve secp384r1
1. Redirect default Gateway is set to Enabled
Results:
- client connected OK
- I cannot access anything, not Internet not local lan (either by name or IP)
- in the OpenVPN log on client there is a warning about "No DNS servers being used", so this might mean something
2. Redirect default Gateway is set to Disabled and I put some push commands in Additional Config:
Also I added interface tun2 to the Dnsmasq Options
Results:
- client connected OK
- access to Internet OK
- access to local lan with browser not working (not name nor IP address); also some other programs accessing local resourses are not working.
- BUT:I can ping local host via name and IP address and I can connect to my Linux server via ssh (ConnectBot)
Anybody has any idea what might be wrong with my configuration?
Vpn server working great for a long time now THANKS EGC but i wanted to try adding some user and passwords so had some spare time to try this today.
followed the v1.93 guide but for some reason the server fails to start any ideas? i didn't under stand what the "via-env" bit was for but didnt work with or without it but i may be missing something, is this why it's not starting the server?
Should i have a seperate file with just user and pass on seperate lines?
added to ovpn server config:
client-cert-not-required
auth-user-pass-verify /tmp/vpn_user.sh via-env
script-security 3
username-as-common-name
then copied the vpn_user.sh into startup and rebooted (i left script as is for now rather then change the user and password but the server never starts.
i assume i have missed something with the server not starting i have not gotten as far as adding the client directive: auth-user-pass xxx
Thanks for any input _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
yes that starts now egc as always you D man!
i have added the:
auth-user-pass login.conf to the client with user and password and it connects
how do i add a 2nd or 3rd users to the server side?
like this?
#=======BEGIN vpn_user.sh for setting username and password=========
SCRIPT="/tmp/vpn_user.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
(
#!/bin/bash
#vpn_user.sh
ALLOWED_USER="user1"
ALLOWED_PASS="password1"
#
ALLOWED_USER="user2"
ALLOWED_PASS="password2"
#
echo "$username"
echo "$password"
echo $ALLOWED_USER
echo $ALLOWED_PASS
if [[ "$username" == "$ALLOWED_USER" && "$password" = "$ALLOWED_PASS" ]]
then
exit 0
else
exit 1
fi
)2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT
nohup $SCRIPT > /dev/null 2>&1 &
#=======END vpn_user.sh=========
Cheers egc _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Using multiple users/passwords is outside the scope of this guide, it involves professional setups with the pam plugin and radius etc.
Not that it is impossible in this way, you need to do multiple passes comparing your user/password with the ones presented.
I would use a file as input with username and password on one line and use this file as input
Thanks egc, i just wanted to make it easy to see in the logs who had logged in but that's fine mate. i got the wrong end of the stick, thought that would have helped, i was thinking it being like a commercial server.
Its only family and they only have access to the relevant shares on the NAS and plex content. _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!