Joined: 14 Oct 2016
Location: United States
|Posted: Sat Jul 04, 2020 21:33 Post subject: VPN LAN client to client communication with CVE-2019-14899?
So I looked into CVE-2019-14899 and just realized how it impacts the ability to have a VPN client interact with a client on the network.
They added a button to disable that mitigation patch but I also saw some Iptable commands that could be used. I was going through the OpenVPN server guide (by egc) on page 7 and saw that the one of the following Iptable commands could be used.
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j
while the other is
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j
I am currently trying to understand if the first iptable command is no different than simply disabling the mitigation checkbox method in the Web GUI?
And my other question is what would be the difference between the two Iptable commands?
For the second one, I'm not sure if I applied it correctly but I tried applying it via web administration console after VPN is already started and it appears nothing is happening. It seems like this 2nd Iptable command might be better (in terms of security?) but I'm not too sure.