scripts & cron

[mrgenie]

I have setup successfully an openVPN network across the continent using DD-wrt.

Now I want to use the Asusmerlin openVPN to act as a server.

I've found in DD-WRT clients on other networks sometimes pick DHCP from other openVPN subnets.

To avoid this, and everyone stay in their own network (gateway/dns/etc) but everyone can connect to every single client in other subnets (openVPN clients) I've setup a class B network and use a script on DD-wrt to avoid wrong DHCP servers from other subnets.

I've put the following script in the "Cron" tab of the DD-wrt router:

@reboot sleep 30;/sbin/insmod /lib/modules/2.6.24.111/ebtables.o;/sbin/insmod /lib/modules/2.6.24.111/ebt_ip.o;/sbin/insmod /lib/modules/2.6.24.111/ebtable_filter.o;ebtables -F;ebtables -I FORWARD -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;ebtables -I FORWARD -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

How would I do this in Merlin-Asuswrt or is this not necessary on Merlin-Asuswrt for a class B network spanning the continent?

 

[RMerlin]

Not sure if this is needed or not - it will probably be needed if you setup a TAP VPN instead of a TUN.

You will need to enable the JFFS partition to be able to use user scripts. See the Wiki for more details.

Cron jobs can be easily created using the cru command (type "cru" at the shell prompt for a usage description). You can put the commands inside a services-start user script, for example.

 

[mrgenie]

Can't figure how to rewrite this for Asus-Merlin-wrt

sleep 30;
/sbin/insmod /lib/modules/2.6.24.111/ebtables.o;
/sbin/insmod /lib/modules/2.6.24.111/ebt_ip.o;
/sbin/insmod /lib/modules/2.6.24.111/ebtable_filter.o;
ebtables -F;
ebtables -I FORWARD -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;
ebtables -I FORWARD -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

would become in Merlin:

/sbin/insmod /lib/modules/2.6.22.19/ebtables.o;
/sbin/insmod /lib/modules/2.6.22.19/ebt_ip.o;
/sbin/insmod /lib/modules/2.6.22.19/ebtable_filter.o;
ebtables -F;
ebtables -I FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;
ebtables -I FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;
ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;
ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

I just found "https://github.com/RMerl/asuswrt-merlin/wiki/WOL-Script-Wake-Up-Your-Webserver-On-Internet-Traffic" so I tried to give it a go.. still trying at the moment..
The file system read-only error I got seems to disappear automatically after switching on/off the jffs and rebooting 5 or 6 times.

obviously the "sleep 30" isn't needed for merlin wrt, as I have several options where to run the script.

Thus far I've managed most steps, and in the logging I see "drops" although the logging doesn't tell me exactly what is dropped. So I guess I have to trial and error to see if the ebtables are set by simply adding above lines to the startup script
Thank you for your great work merlin!

 

[RMerlin]

Those modules are already loaded by the kernel, you don't need to manually insert them:

admin@RT-AC66U:/tmp/home/root# lsmod | grep ebt
ebt_ip 1952 0
ebtable_broute 1504 0
ebtable_filter 1728 0
ebtables 21504 3 ebt_ip,ebtable_broute,ebtable_filter

You just need to put your ebtable commands. There's no special way to write a script, it's just a text file that will contain the lines you want to execute. So, the services-start script would be just a text file saved as /jffs/scripts/services-start containing the ebtable lines. See the Wiki post on User scripts for some basic requirements of Linux scripts (they must be set as executable, contain a shell shebang at the start, etc...)

I suspect the sleep command was to give time to the tunnel to establish itself before trying to create a rule referring to tun21. If the script doesn't work without it then try adding it back.

As an alternative way of implementing those ebtable rules, it's also possible to configure OpenVPN itself to run a script when an interface is brought up. See the OpenVPN documentation for details - I don't know them myself since I never used them, but I know it exists.

 

[mrgenie]

Summary

So, my services-start looks like this:

#!/bin/sh

ebtables -F
ebtables -I FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

and I did the chmod +x /jffs/scripts/services-start

That's all, or do you see any mistake in this process?

 

[RMerlin]

So, my services-start looks like this:



and I did the chmod +x /jffs/scripts/services-start

That's all, or do you see any mistake in this process?

Looks good to me, give it a try. Only thing I'm not sure about is how it will accept creating rules referring to tap21 if that interface isn't up yet. If that's a problem, then you will have to rely on OpenVPN's own up script that can be added through the custom config section.

 

[erwinquek]

I am using RT-N66U on Merlin. Plan to add the following cron job:

root wget http://www.unotelly.com/unodns/auto_auth/hash_update/updateip.php?user_hash=your_token

appreciate someone could guide me how I can do it. Please be as detailed as possible as I am a complete newbie in this term. Many thanks.

 

[mrgenie]

Looks good to me, give it a try. Only thing I'm not sure about is how it will accept creating rules referring to tap21 if that interface isn't up yet. If that's a problem, then you will have to rely on OpenVPN's own up script that can be added through the custom config section.

Well, if that's a problem I can still use the "sleep" option, as I haven't experienced with openVPN scripts before and in my experience getting into new scripting territory is usually a pain in the a** because of the different syntax (assuming they have a different syntax of their own)

anyway, thus far everyone is getting the proper DHCP servers within their own local subnets and not retrieving IP's/Gateways/DNS/Subnet masks from remote DHCP servers of different openVPN subnets..

I wonder how I can test it if it really works.. for normal TCP/IP traffic you can check ports and send a packet to see if it's blocked/dropped.. But the ebtables (DHCP server) is one layer lower on the network then TCP/IP .. which make sense because a client need to find the DHCP server before it gets any info about the TCP/IP network... but thus far I haven't found a single software on the internet to actually ping/try/trace on this network layer.. Would be very useful if I knew about a software with these capabilities.

Anyway, where do I donate for the merlinwrt firmware?

 

[mrgenie]

I am using RT-N66U on Merlin. Plan to add the following cron job:

root wget http://www.unotelly.com/unodns/auto_auth/hash_update/updateip.php?user_hash=your_token

appreciate someone could guide me how I can do it. Please be as detailed as possible as I am a complete newbie in this term. Many thanks.

well, as you can see in the post previously, with the "cru" command you can add cron jobs..
for the scripting there's 1 example in the wiki (WOL)

as far as I understood.. all you have to do make any script you're running executable as detailed described above, and don't forget the #!/bin/sh at the top of the file to let linux know what this file is for..

the rest is basic linux scripting if I understood correctly.

There's also an option described in the wiki how to test your scripts manually..

 

[RMerlin]

Well, if that's a problem I can still use the "sleep" option, as I haven't experienced with openVPN scripts before and in my experience getting into new scripting territory is usually a pain in the a** because of the different syntax (assuming they have a different syntax of their own)

anyway, thus far everyone is getting the proper DHCP servers within their own local subnets and not retrieving IP's/Gateways/DNS/Subnet masks from remote DHCP servers of different openVPN subnets..

I wonder how I can test it if it really works.. for normal TCP/IP traffic you can check ports and send a packet to see if it's blocked/dropped.. But the ebtables (DHCP server) is one layer lower on the network then TCP/IP .. which make sense because a client need to find the DHCP server before it gets any info about the TCP/IP network... but thus far I haven't found a single software on the internet to actually ping/try/trace on this network layer.. Would be very useful if I knew about a software with these capabilities.

Anyway, where do I donate for the merlinwrt firmware?

One easy way to test this is to disable the DHCP server on the local LAN segment (assuming you have control of it), and see if you are able to issue a DHCP lease renewal on one of your clients. If not, then it will confirm that your rules are indeed preventing DHCP requests from reaching the DHCP server on the other side of the tunnel.

There's a Paypal button on my personal website (link is in my signature). Thank you

 

[mrgenie]

One easy way to test this is to disable the DHCP server on the local LAN segment (assuming you have control of it), and see if you are able to issue a DHCP lease renewal on one of your clients. If not, then it will confirm that your rules are indeed preventing DHCP requests from reaching the DHCP server on the other side of the tunnel.

There's a Paypal button on my personal website (link is in my signature). Thank you

Ok, the ebtables in the script file don't prevent clients from accessing remote dhcp servers. Bummers, as I really have no idea how to pull this off with openVPN itself..

 

[RMerlin]

TAP VPNs are tricky. It's usually simpler to use TUNs instead, unless you actually need broadcasts to work accross the VPN.

You will probably need to insert runes inside an OpenVPN "up" script. I've seen some references to it on the web.

 

[mrgenie]

Ok, now I got it working properly( I hope, fingers crossed)

I've simply added all I could think off that might be needed to get this working..

Of course several lines can be erased, will test them tomorrow what can be deleted..

but here's thus far what I got to prevent the DHCP's from other subnets being reached from other locations:

#!/bin/sh



insmod ebtables
insmod ebtable_filter
insmod ebt_ip
ebtables -I INPUT -i $TUNTAPINTERFACE -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o $TUNTAPINTERFACE -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

sleep 10
ebtables -F
ebtables -I FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

also in the logs I noticed the tap21 interface is up and running long before this script is being executed..

For those interested in blocking UPnP or PmP over nat:

ebtables -A INPUT --in-interface tap11 --protocol ipv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
ebtables -A INPUT --in-interface tap11--protocol ipv4 --ip-protocol udp --ip-source-port 1900 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-source-port 1900 -j DROP

ebtables -A INPUT --in-interface tap11 --protocol ipv4 --ip-protocol udp --ip-destination-port 5351 -j DROP
ebtables -A INPUT --in-interface tap11 --protocol ipv4 --ip-protocol udp --ip-source-port 5351 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-destination-port 5351 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-source-port 5351 -j DROP

 

[mrgenie]

Final edit

To get the DHCP-madness run properly (multiple DHCP over TAP bridged openVPN networks) you have to do only the following:

1. create the jffs directory (enable the option in the webGUI)
2. verify there's a "scripts" directory inside the jffs! If it's not you simply must reboot a few times. Sometimes the jffs is initialized properly the 2nd time you reboot, sometimes it takes you 10 reboots. You also might want to switch off/on the jffs option in the webGUI several times. No panic, it will be initialized after several attempts!
3. inside the "/jffs/scripts" you create the "services-start" file
4. inside this file you put the following code
   

   #!/bin/sh
   sh /jffs/scripts/filt.sh&

5. also create a file named "filt.sh" and put inside it following code
   

   #!/bin/sh
   ebtables -I FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
   ebtables -I FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
   ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
   ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

6. both files must be set executable. I used 755 for both files
7. to test if it works, reboot the router and login with putty or whatever you want to use. type "ebtables -L" and you should see the proper filters listed in the ebtables

NOTE: Check if your openVPN also uses tap21. If it uses something else, of course you must adept the ebtables to your different tap number.
Note 2: see my previous post if you want to block upnp or pmp