How do block internet if PPTP tunnel goes down?

[tomsk]

Hi, apologies if this has been covered before.
I am using an ASUS RT-AC68U running merlin firmware with VPN over PPTP configured as a client.
is there a way to block internet if the PPTP tunnel goes down?
I see this as a feature in the GUI for openVPN clients.

 

[yorgi]

Hi, apologies if this has been covered before.
I am using an ASUS RT-AC68U running merlin firmware with VPN over PPTP configured as a client.
is there a way to block internet if the PPTP tunnel goes down?
I see this as a feature in the GUI for openVPN clients.

No you need to write a script.

 

[tomsk]

So its IPtables i guess? .... can anyone point me in the direction of a good tutorial and i'll have a go

 

[yorgi]

So its IPtables i guess? .... can anyone point me in the direction of a good tutorial and i'll have a go

Maybe this can be a start.

This is a firewall script that does if tunnel drops stop traffic to VPN
I am sure it can be tweaked for you needs
Use this for reference about loading scripts with RMerlin
https://github.com/RMerl/asuswrt-merlin/wiki

and here is the script.
You would need to replace tun11 with ppp11
I am not 100% sure about the ppp11 with ASUS i know tun11 is for the Client 1 on VPN
but not sure about PPTP client being ppp11, do some research on that.
This script should do the job you want.

if you use 192.168.15 that is going to PPTP then replace each ip address below with the IP addresses of you setup.


#!/bin/sh

sleep 4

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD ! -o tun11 -s 192.168.1.99 -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.1.98 -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.1.97 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

chmod a+rx /jffs/scripts/firewall-start

 

[tomsk]

Much appreciated Yorgi.... i believe the PPTP is ppp5 for the ASUS

Sep 18 09:13:55 pptp[26836]: Connect: ppp5 <--> pptp (104.23X.XX.XXX)
Sep 18 09:13:56 pptp[26836]: CHAP authentication succeeded
Sep 18 09:13:56 pptp[26836]: MPPE 128-bit stateless compression enabled
Sep 18 09:13:56 pptp[26836]: local  IP address 10.0.0.10
Sep 18 09:13:56 pptp[26836]: remote IP address 10.0.0.1
Sep 18 09:13:56 pptp[26836]: primary   DNS address 10.0.0.1
Sep 18 09:13:56 pptp[26836]: secondary DNS address 10.0.0.1

 

[yorgi]

When you connect to

Much appreciated Yorgi.... i believe the PPTP is ppp5 for the ASUS

Sep 18 09:13:55 pptp[26836]: Connect: ppp5 <--> pptp (104.23X.XX.XXX)
Sep 18 09:13:56 pptp[26836]: CHAP authentication succeeded
Sep 18 09:13:56 pptp[26836]: MPPE 128-bit stateless compression enabled
Sep 18 09:13:56 pptp[26836]: local  IP address 10.0.0.10
Sep 18 09:13:56 pptp[26836]: remote IP address 10.0.0.1
Sep 18 09:13:56 pptp[26836]: primary   DNS address 10.0.0.1
Sep 18 09:13:56 pptp[26836]: secondary DNS address 10.0.0.1

Cool let me know how it works out for you.
once you establish a connection to your PPTP take a look at system log/routing
you should see the PPTP protcol in use

 

[yorgi]

this link is directly what you need to start scripts with the asus routers running Merlin firmware

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

 

[yorgi]

I also forgot, once you create this script you need to call it firewall-start
Read on how to enable and use scripts in the link I provided and it should go smooth.
let me know if you run into any problems

 

[tomsk]

If i run the route command i get this output

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
104.237.90.131  192.168.1.1     255.255.255.255 UGH   0      0        0 vlan2 
192.168.1.1     *               255.255.255.255 UH    0      0        0 vlan2
192.168.2.0     *               255.255.255.0   U     0      0        0 br0
192.168.1.0     *               255.255.255.0   U     0      0        0 vlan2
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         10.0.0.1        0.0.0.0         UG    0      0        0 ppp5
default         192.168.1.1     0.0.0.0         UG    1      0        0 vlan2

so what is the ip address i plug into the iptables command in this instance? Thanks

 

[yorgi]

If i run the route command i get this output

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
104.237.90.131  192.168.1.1     255.255.255.255 UGH   0      0        0 vlan2
192.168.1.1     *               255.255.255.255 UH    0      0        0 vlan2
192.168.2.0     *               255.255.255.0   U     0      0        0 br0
192.168.1.0     *               255.255.255.0   U     0      0        0 vlan2
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         10.0.0.1        0.0.0.0         UG    0      0        0 ppp5
default         192.168.1.1     0.0.0.0         UG    1      0        0 vlan2

so what is the ip address i plug into the iptables command in this instance? Thanks

You will need to assign Static IP addresses to your devices that need drop connection if tunnel goes down.
So assuming you have a PC you want to secure assign it a Static IP like 192.168.1.15 and put that IP address in the IPtables script. If the tunnel drops the IPtable will tell the Firewall of the router to stop traffic to ip address 192.168.1.15

 

[yorgi]

Looking at your routing, maybe you might have to replace br0 with vlan2
you need to test this script thoroughly as it was written for openvpn.
I am sure you can make it work with a little persistence because for some reason br0 which is your WAN is assigned a different IP address.
is your routers IP address 192.168.1.1 or 192.168.2.1?
If I am correct the script should start with
iptables -I FORWARD -i vlan2 -o ppp5 -j ACCEPT
Try it out and let me know how it goes

 

[tomsk]

Ah ... ok I'm with it now At the moment (cos i also have no idea how to steer traffic to the wan or the VPN) everything is going to the VPN... so can i just use 0.0.0.0 to kill any device from connecting?

 

[tomsk]

Looking at your routing, maybe you might have to replace br0 with vlan2
you need to test this script thoroughly as it was written for openvpn.
I am sure you can make it work with a little persistence because for some reason br0 which is your WAN is assigned a different IP address.
is your routers IP address 192.168.1.1 or 192.168.2.1?
If I am correct the script should start with
iptables -I FORWARD -i vlan2 -o ppp5 -j ACCEPT
Try it out and let me know how it goes

I'm double NAted..... the main routers lan in 192.168.1.1 and the ASUS is 192.168.2.1

I will play around with the settings and let you know ( once the internet dependant hoarde of teenagers in the house go to sleep )

 

[tomsk]

OK ...set three devices with static IP addresses and got this into /jffs/scripts/firewall-start as executable

#!/bin/sh

sleep 4

iptables -I FORWARD -i vlan2 -o ppp5 -j ACCEPT
iptables -I FORWARD -i ppp5 -o vlan2 -j ACCEPT
iptables -I FORWARD ! -o ppp5 -s 192.168.2.50 -j DROP
iptables -I FORWARD ! -o ppp5 -s 192.168.2.60 -j DROP
iptables -I FORWARD ! -o ppp5 -s 192.168.2.70 -j DROP
iptables -I INPUT -i ppp5 -j REJECT
iptables -t nat -A POSTROUTING -o ppp5 -j MASQUERADE

will see how it goes at reboot....

 

[tomsk]

OK ...set three devices with static IP addresses and got this into /jffs/scripts/firewall-start as executable

#!/bin/sh

sleep 4

iptables -I FORWARD -i vlan2 -o ppp5 -j ACCEPT
iptables -I FORWARD -i ppp5 -o vlan2 -j ACCEPT
iptables -I FORWARD ! -o ppp5 -s 192.168.2.50 -j DROP
iptables -I FORWARD ! -o ppp5 -s 192.168.2.60 -j DROP
iptables -I FORWARD ! -o ppp5 -s 192.168.2.70 -j DROP
iptables -I INPUT -i ppp5 -j REJECT
iptables -t nat -A POSTROUTING -o ppp5 -j MASQUERADE

will see how it goes at reboot....

Hmmm... well that doesn't work ....... no devices are able to connect regardless of whether they are in the tables or not..... VPN tunnel was up......any idea? ...... does the VPN tunnel have to be up before applying the iptables??

 

[yorgi]

Hmmm... well that doesn't work ....... no devices are able to connect regardless of whether they are in the tables or not..... VPN tunnel was up......any idea? ...... does the VPN tunnel have to be up before applying the iptables??

Yes you need to have the tunnel up otherwise the script will stop the internet.
At least its working.
let me know

 

[yorgi]

First I would get rid of the double NAT keep it in one subnet at least for your tests.
then instead of vlan put br0 that will work.

 

[tomsk]

Unfortunately i can't get around the double nat in my situation to try the br0 configuration. It seems the vlan interface is the issue here with lots of conflicting info whether iptables handles it well. I did find the following code example

iptables -I INPUT -i vlan6 -j ACCEPT
iptables -I FORWARD -i vlan6 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan6 -o ppp0 -m state --state NEW -j ACCEPT

Do you think i need to put this state matching in the script to make it work for VLANS?

 

[tomsk]

doing some more digging around for clues how to get this to work, i came across the suggestion to use "eth0.2" instead of "vlan2".... don't know it this older advice and not applicable any more... seems iptables have trouble with logical devices?

 

[tomsk]

If i do an iptables -L -v command, i get the following output for the Forward

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
65749 4079K TCPMSS     tcp  --  any    any     anywhere             anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
  11M   14G ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   vlan2   anywhere             anywhere           
    0     0 DROP       all  --  vlan2  any     anywhere             anywhere             state INVALID
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere           
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT
107K 7988K ACCEPT     all  --  br0    any     anywhere             anywhere           
    0     0 DROP       all  --  !br0   ppp5    anywhere             anywhere

i read this as "drop any inbound connection to vlan2 (WAN connection) or ppp5 (VPN) unless it comes from br0 (the bridge)" So does this mean that your original suggestion

#!/bin/sh

sleep 4

iptables -I FORWARD -i br0 -o ppp5 -j ACCEPT
iptables -I FORWARD -i ppp5 -o br0 -j ACCEPT
iptables -I FORWARD ! -o ppp5 -s 192.168.2.50 -j DROP
iptables -I FORWARD ! -o ppp5 -s 192.168.2.60 -j DROP
iptables -I FORWARD ! -o ppp5 -s 192.168.2.70 -j DROP
iptables -I INPUT -i ppp5 -j REJECT
iptables -t nat -A POSTROUTING -o ppp5 -j MASQUERADE

should work even though br0 is showing a LAN IP instead of a WAN IP?