What's new

ASUS Merlin filter OpenVPN connections

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

nick_max

Occasional Visitor
Hello gentlemen,

I have a simple, yet complicated issue i need some help with, please.

I have a home router ASUS N66U with ASUS Merlin firmware 380.68_2.

I connect from the internet to my home router through OpenVPN connection. I would like to restrict all connections to my home OpenVPN router to a single one originating from a static IP. All other connections related to OpenVPN i want them dropped. All regular router traffic should be unaffected.

Now, i have added in the iptables INPUT chain the following rules:
iptables -I INPUT 1 -p tcp -i tun21 -s x.x.x.x --dport 443 -j ACCEPT
iptables -I INPUT 2 -i tun21 -j DROP

The problem is that these rules don't work. It's as if they aren't even there.

Is anybody kind enough to help me with my problem, please?

Thank you
 
The incoming VPN connection will be on the WAN interface, not on the TUN interface.
 
Hi,

Thank you for your reply.
I have added the 2 rules and they are working as intended linked to the VPN connection.
iptables -I INPUT 1 -p tcp -i ppp0 -s x.x.x.x --dport 443 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 2 -i ppp0 -j DROP

But, this way everything is blocked, including plain browsing.

Is there a way to restrict connections only to the tun/VPN interface and leave everything else unaffected?

Thank you.
 
Have the second rule only DROP if --dport is 443, instead of dropping all traffic.
 
Hello gentlemen,

I have another problem I need some help with, please.

I need to set the above OpenVPN iptables rules to auto-apply themselves every time my router restarts. I have placed these rules in an executable script file called /jffs/scripts/openvpn.sh
I have tried to add the following line in the services-start file:

sh /jffs/scripts/openvpn.sh

The above script call doesn't work - can anybody help me with my problem, please?
If I execute the file manually, it works fine.

Note: I need to apply these rules at the very end of the booting process, after all services/processes are started.

Thank you.

Router: ASUS RT-AC88U
Firmware: asus-merlin 384.5
 
Firewall rules must go in firewall-start or nat-start, otherwise any firewall restart will erase them.
 
Hi Merlin,

My custom iptables rules worked flawlessly in the /jffs/scripts/nat-start right until I have installed the latest firmware, i.e. 384.6.
After the new firmware, the custom rules in the nat-start file are executed 3 times.

I have tried alternative solutions but nothing seems to work, the rules from nat-start are always applied 3 times.

The only solution that works is to remove the nat-start file and add my iptables manually after each reboot.

Do you have any ideas, please?

Thank you.
 
Hi Merlin,

My custom iptables rules worked flawlessly in the /jffs/scripts/nat-start right until I have installed the latest firmware, i.e. 384.6.
After the new firmware, the custom rules in the nat-start file are executed 3 times.

I have tried alternative solutions but nothing seems to work, the rules from nat-start are always applied 3 times.

The only solution that works is to remove the nat-start file and add my iptables manually after each reboot.

Do you have any ideas, please?

Thank you.

Try my nat-start template
 
Hi Martineau,
Thanks for the suggestion but does it make sense to run a script that prevents another script to run 3 times?
There must be some glitch in the current firmware (384.6) because the previous one was working flawlessly.

Note: While looking at the link you have provided, I have noticed that I am also using a sleep command (sleep 20) in the script to delay the execution of my custom iptables rules. Maybe the issue is related to this sleep command?

Thank you
 
Thanks for the suggestion but does it make sense to run a script that prevents another script to run 3 times?
There must be some glitch in the current firmware (384.6) because the previous one was working flawlessly.

As you don't appear to have received a reply to your post #9 perhaps you could revert back to v384.5 and extract the number of nat-start instances that run during the boot process (with start/end times) in order to assist the developer by proving that v384.6 is now flawed.

Note: While looking at the link you have provided, I have noticed that I am also using a sleep command (sleep 20) in the script to delay the execution of my custom iptables rules.

Maybe the issue is related to this sleep command?

I doubt it.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top