OpenVPN, firewall-start & DNS woes

[mrDavid]

hi all,
I'm trying to implement the scripts in How-to-Direct-Traffic-over-VPN-and-Drop-connections-if-VPN-goes-down. RT-AC87u + Merlin 378.55_0 + Express VPN

openvpn-event is working fine. The client included is routed through the VPN successfully. Other clients are not (yay)

firewall-start causes DNS forwarding to stop working on *all* machines. As best I can tell other traffic is unaffected - i can ping external IPs and cached names and even use FTP.

So.
NSlookups to 8.8.8.8 work fine on all clients
NSlookups to my router resolves internal names but time-out on external names
Results are consistent if I configure DHCP/static DNS on the clients
Including both 8.8.8.8 and the router as client DNS have the same results depending on which server is first in the listed

help..

admin@router:/jffs/scripts# cat openvpn-event
#!/bin/sh
touch /jffs/scripts/openvpn-event-has-run
sleep 2

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
| while read ROUTE ; do
  ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.72 -j MARK --set-mark 0
exit 1

admin@router:/jffs/scripts# cat firewall-start
#!/bin/sh
touch /jffs/scripts/firewall-start-has-run

sleep 4

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD ! -o tun11 -s 192.168.0.72 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

chmod a+rx /jffs/scripts/firewall-start

(that last line looks like it was included in the template by mistake...but keeping it verbose until it works!)

admin@router:/jffs/scripts# ls -l
-rwxrwxrwx    1 admin  root           344 Aug 29 22:13 firewall-start-disabled
-rw-rw-rw-    1 admin  root             0 Aug 29 23:59 firewall-start-has-run
-rwxrwxrwx    1 admin  root            57 Aug 28 12:24 init-start
-rwxrwxrwx    1 admin  root           768 Aug 28 15:28 openvpn-event
-rw-rw-rw-    1 admin  root             0 Aug 30 00:08 openvpn-event-has-run

 

[RMerlin]

No need for any script. Enable Policy-based routing, add a rule for your entire subnet through the VPN tunnel, add another rule for the router's IP to go through the WAN, and enable "Block routed clients if tunnel goes down".

Anything based on packet marking will interfere with the TrendMicro DPI engine and QoS.

 

[mrDavid]

working great now, many thanks

 

[Calisro]

@RMerlin what did you mean by packet marking interferes with Trendmicro DPI?

 

[RMerlin]

@RMerlin what did you mean by packet marking interferes with Trendmicro DPI?

If you use any feature based on the Trend Micro DPI engine, your firewall rules might end up being removed as the engine reconfigures iptables. Marks can also be modified by the QoS subsystem, which also uses packet marking to classify traffic.