scripts & cron

Discussion in 'Asuswrt-Merlin' started by mrgenie, Nov 22, 2012.

  1. mrgenie

    mrgenie Occasional Visitor

    Joined:
    Nov 22, 2012
    Messages:
    24
    I have setup successfully an openVPN network across the continent using DD-wrt.

    Now I want to use the Asusmerlin openVPN to act as a server.

    I've found in DD-WRT clients on other networks sometimes pick DHCP from other openVPN subnets.

    To avoid this, and everyone stay in their own network (gateway/dns/etc) but everyone can connect to every single client in other subnets (openVPN clients) I've setup a class B network and use a script on DD-wrt to avoid wrong DHCP servers from other subnets.

    I've put the following script in the "Cron" tab of the DD-wrt router:

    @reboot sleep 30;/sbin/insmod /lib/modules/2.6.24.111/ebtables.o;/sbin/insmod /lib/modules/2.6.24.111/ebt_ip.o;/sbin/insmod /lib/modules/2.6.24.111/ebtable_filter.o;ebtables -F;ebtables -I FORWARD -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;ebtables -I FORWARD -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

    How would I do this in Merlin-Asuswrt or is this not necessary on Merlin-Asuswrt for a class B network spanning the continent?
     
  2. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    12,729
    Location:
    Canada
    Not sure if this is needed or not - it will probably be needed if you setup a TAP VPN instead of a TUN.

    You will need to enable the JFFS partition to be able to use user scripts. See the Wiki for more details.

    Cron jobs can be easily created using the cru command (type "cru" at the shell prompt for a usage description). You can put the commands inside a services-start user script, for example.
     
  3. mrgenie

    mrgenie Occasional Visitor

    Joined:
    Nov 22, 2012
    Messages:
    24
    Can't figure how to rewrite this for Asus-Merlin-wrt

    would become in Merlin:
    I just found "https://github.com/RMerl/asuswrt-merlin/wiki/WOL-Script-Wake-Up-Your-Webserver-On-Internet-Traffic" so I tried to give it a go.. still trying at the moment..
    The file system read-only error I got seems to disappear automatically after switching on/off the jffs and rebooting 5 or 6 times.

    obviously the "sleep 30" isn't needed for merlin wrt, as I have several options where to run the script.

    Thus far I've managed most steps, and in the logging I see "drops" although the logging doesn't tell me exactly what is dropped. So I guess I have to trial and error to see if the ebtables are set by simply adding above lines to the startup script
    Thank you for your great work merlin!
     
    Last edited: Nov 23, 2012
  4. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    12,729
    Location:
    Canada
    Those modules are already loaded by the kernel, you don't need to manually insert them:

    You just need to put your ebtable commands. There's no special way to write a script, it's just a text file that will contain the lines you want to execute. So, the services-start script would be just a text file saved as /jffs/scripts/services-start containing the ebtable lines. See the Wiki post on User scripts for some basic requirements of Linux scripts (they must be set as executable, contain a shell shebang at the start, etc...)

    I suspect the sleep command was to give time to the tunnel to establish itself before trying to create a rule referring to tun21. If the script doesn't work without it then try adding it back.

    As an alternative way of implementing those ebtable rules, it's also possible to configure OpenVPN itself to run a script when an interface is brought up. See the OpenVPN documentation for details - I don't know them myself since I never used them, but I know it exists.
     
  5. mrgenie

    mrgenie Occasional Visitor

    Joined:
    Nov 22, 2012
    Messages:
    24
    Summary

    So, my services-start looks like this:

    and I did the chmod +x /jffs/scripts/services-start

    That's all, or do you see any mistake in this process?
     
  6. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    12,729
    Location:
    Canada
    Looks good to me, give it a try. Only thing I'm not sure about is how it will accept creating rules referring to tap21 if that interface isn't up yet. If that's a problem, then you will have to rely on OpenVPN's own up script that can be added through the custom config section.
     
  7. erwinquek

    erwinquek Occasional Visitor

    Joined:
    Aug 14, 2012
    Messages:
    24
  8. mrgenie

    mrgenie Occasional Visitor

    Joined:
    Nov 22, 2012
    Messages:
    24
    Well, if that's a problem I can still use the "sleep" option, as I haven't experienced with openVPN scripts before and in my experience getting into new scripting territory is usually a pain in the a** because of the different syntax (assuming they have a different syntax of their own)

    anyway, thus far everyone is getting the proper DHCP servers within their own local subnets and not retrieving IP's/Gateways/DNS/Subnet masks from remote DHCP servers of different openVPN subnets..

    I wonder how I can test it if it really works.. for normal TCP/IP traffic you can check ports and send a packet to see if it's blocked/dropped.. But the ebtables (DHCP server) is one layer lower on the network then TCP/IP .. which make sense because a client need to find the DHCP server before it gets any info about the TCP/IP network... but thus far I haven't found a single software on the internet to actually ping/try/trace on this network layer.. Would be very useful if I knew about a software with these capabilities.

    Anyway, where do I donate for the merlinwrt firmware?
     
  9. mrgenie

    mrgenie Occasional Visitor

    Joined:
    Nov 22, 2012
    Messages:
    24
    well, as you can see in the post previously, with the "cru" command you can add cron jobs..
    for the scripting there's 1 example in the wiki (WOL)

    as far as I understood.. all you have to do make any script you're running executable as detailed described above, and don't forget the #!/bin/sh at the top of the file to let linux know what this file is for..

    the rest is basic linux scripting if I understood correctly.

    There's also an option described in the wiki how to test your scripts manually..
     
  10. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    12,729
    Location:
    Canada
    One easy way to test this is to disable the DHCP server on the local LAN segment (assuming you have control of it), and see if you are able to issue a DHCP lease renewal on one of your clients. If not, then it will confirm that your rules are indeed preventing DHCP requests from reaching the DHCP server on the other side of the tunnel.

    There's a Paypal button on my personal website (link is in my signature). Thank you :)
     
  11. mrgenie

    mrgenie Occasional Visitor

    Joined:
    Nov 22, 2012
    Messages:
    24
    Ok, the ebtables in the script file don't prevent clients from accessing remote dhcp servers. Bummers, as I really have no idea how to pull this off with openVPN itself..
     
  12. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    12,729
    Location:
    Canada
    TAP VPNs are tricky. It's usually simpler to use TUNs instead, unless you actually need broadcasts to work accross the VPN.

    You will probably need to insert runes inside an OpenVPN "up" script. I've seen some references to it on the web.
     
  13. mrgenie

    mrgenie Occasional Visitor

    Joined:
    Nov 22, 2012
    Messages:
    24
    Ok, now I got it working properly( I hope, fingers crossed)

    I've simply added all I could think off that might be needed to get this working..

    Of course several lines can be erased, will test them tomorrow what can be deleted..

    but here's thus far what I got to prevent the DHCP's from other subnets being reached from other locations:

    also in the logs I noticed the tap21 interface is up and running long before this script is being executed..

    For those interested in blocking UPnP or PmP over nat:
     
    Last edited: Nov 25, 2012
  14. mrgenie

    mrgenie Occasional Visitor

    Joined:
    Nov 22, 2012
    Messages:
    24
    Final edit

    To get the DHCP-madness run properly (multiple DHCP over TAP bridged openVPN networks) you have to do only the following:

    1. create the jffs directory (enable the option in the webGUI)
    2. verify there's a "scripts" directory inside the jffs! If it's not you simply must reboot a few times. Sometimes the jffs is initialized properly the 2nd time you reboot, sometimes it takes you 10 reboots. You also might want to switch off/on the jffs option in the webGUI several times. No panic, it will be initialized after several attempts!
    3. inside the "/jffs/scripts" you create the "services-start" file
    4. inside this file you put the following code
    5. also create a file named "filt.sh" and put inside it following code
    6. both files must be set executable. I used 755 for both files
    7. to test if it works, reboot the router and login with putty or whatever you want to use. type "ebtables -L" and you should see the proper filters listed in the ebtables

    NOTE: Check if your openVPN also uses tap21. If it uses something else, of course you must adept the ebtables to your different tap number.
    Note 2: see my previous post if you want to block upnp or pmp
     
    Last edited: Nov 26, 2012

Share This Page