1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Client VPN Inbound Firewall = Allowed!?

Discussion in 'Asuswrt-Merlin' started by Dogzdongliz, Jul 22, 2019.

  1. Dogzdongliz

    Dogzdongliz New Around Here

    Joined:
    Jul 22, 2019
    Messages:
    3
    Hi everyone, my first post so a little nervous.

    I'm after some advice on the way I've set up my home network.

    A little background...

    My current setup is a basic AC87U running Merlin, I use DDNS & VPN into my network when away.

    The only port I every have open is 34200 for plex for remote access for friends, everything else
    I access via the AC87U VPN server.

    My home network consists of the usual stuff Xbox's, smartphones, wireless speakers etc. I run an unraid server, have the basic dockers, plex, sab, radarr, sonarr, transmission & pihole.

    Transmission & Sab go through a VPN client configured on the AC87U.

    This setup has served me well for years, but something has come along that's very tempting.

    "Vodafone Unlimited data plans".

    On my home broadband connection, my speeds are 27Mbps down & 8Mbps up, this is not to bad, but Vodafone gives me 180Mbps down & 40 up!

    Now after some testing with a Vodafone sim & a 4G router in modem mode, I.ve come across a pitfall.

    It seems that Vodafone uses carrier-grade nat & it's causing me havoc with my VPN server & plex remote access, due to the double natting.

    The first thing I concentrated on was Plex remote access & I now have a working but I'm not entirely sure if it's safe & what consequences this setup has.

    I use Torguard for my VPN provider & they allow port forwarding, so I setup a port forward (33445) & made the vpn client on my AC87U connect to the same IP every time.

    The setup is as follows;
    Plex (192.168.1.15) routed via AU87u built-in VPN client to torguard.
    iptables set on the AC87U are set as follows;

    iptables -I FORWARD -i tun15 -p udp -d 192.168.1.15 --dport 33445 -j ACCEPT
    iptables -t nat -I PREROUTING -i tun15 -p udp --dport 33445 -j DNAT --to-destination 192.168.1.15

    Now, this is the bit that concerns me, for this to work, I need to change the "Inbound Firewall" to "allow" on the client VPN settings page.

    I'm now sure what else this is allowing in from the VPN, I'm hoping someone will be able to educate me a little.

    If the above is ok, my next plan is to run a OpenVPN server on the network and apply the same methodology as the plex server.

    Look forward to some replies, & hopefully not "SHUT IT DOWN NOW" lol

    Cheers
    Dogz
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,101
    Location:
    UK
    Until the most recent release of Merlin this option never existed. So in effect it was always set to "allow". This is not an issue with regards to general access to your network from the public internet because your connection is NATed through the VPN providers network which would block unsolicited incoming connection attempts. The exception of course is the single port that you have deliberately asked the provider to forward for you.

    The firewall option is there to stop your VPN provider (or someone who has direct access to their internal network - think government agency) acting maliciously and trying to remotely access your network through the tunnel. Of course this would still require a lot of dedicated effort and devices on your LAN like Windows PC's would still have their own firewalls to stop intrusion, but it's theoretically possible. Unless you're an exceptionally high-value target I can't see this being a realistic scenario.
     
  3. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    233
    You do NOT need to change the "Inbound Firewall" option to Allowed. Leave it as Blocked. Just as the GUI blocks all connections initiated inbound from the internet into the WAN by default, but allows you to define exceptions via port forwarding, the same is true of the Inbound Firewall option on the OpenVPN client. All traffic initiated inbound from the internet on the VPN tunnel is blocked by default, unless you similarly define exceptions, which is just what you did.

    You would typically only change the "Inbound Firewall" option to Allowed for a bidirectional (aka, site-to-site) tunnel, where you completely trust the server side of the tunnel to initiate *any* connections inbound.
     
    Last edited: Jul 22, 2019
  4. Dogzdongliz

    Dogzdongliz New Around Here

    Joined:
    Jul 22, 2019
    Messages:
    3
    Thanks everyone.
    Just turned on blocking and it’s working, despite plex saying the contrary.
     

    Attached Files:

    Last edited: Jul 22, 2019
  5. Dogzdongliz

    Dogzdongliz New Around Here

    Joined:
    Jul 22, 2019
    Messages:
    3
    Looking at VPN server options.

    Does anyone know if it’s possible to get the AC87’s vpn server to actually tunnel through the vpn client ?
     
  6. Val D.

    Val D. Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    220
    I use NordVPN and for some reason it doesn't work if Inbound Firewall is set to Blocked. Could be something VPN server specific, never bothered to investigate. Don't want to change the server though because it's very fast and very reliable. I'm getting constantly >200Mbps every time I check the speed and it disconnects only when I unplug the router. :cool:
     
  7. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    233
    You'll need to use the Manage Client-Specific Options section on the OpenVPN server config to define the local network behind the OpenVPN client (and reference that OpenVPN client based on its common name on the cert). And, of course, change Inbound Firewall to Allow.
     
  8. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    233
    Doesn't work for what? Just in general, or specifically for VPN port forwarding purposes?
     
  9. Val D.

    Val D. Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    220
    Does not connect at all or works for a while, then disconnects and doesn't auto re-connect. The moment I change Inbound Firewall to Allowed, the problem disappears. Again, could be something specific to NordVPN server settings, the one I connect to. Asuswrt-Merlin before 384.12 did not have this option.
     
    Marin likes this.
  10. Marin

    Marin Very Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    715
    I have had NordVPN for a few years now and so far have not experienced any issues with the Firewall setting in terms of speed or disconnects. I have had some occasional disconnects but cannot pinpoint them to this particular setting.

    However, I do find the wording used for this setting somewhat confusing considering what it is supposed to do but maybe it is just me:

    “Block Firewall or Allow Firewall”? So, is allowing firewall same as turning/leaving it on? My simple view of a firewall is to block something malicious. So when you block something that “blocks” something else then that must mean that you are turning it off?

    It would be easier to have it shown as:

    Firewall: On or Off

    My 2 cents.


    Sent from my iPhone using Tapatalk
     
    L&LD likes this.
  11. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    233
    No obvious reason the OpenVPN server would need to be initiating connections inbound over the tunnel, which is what that option is blocking by default. Did you happen to notice if the blocking rules were getting any hits while the option was set to Blocked?

    Code:
    iptables -vnL OVPN
    If not, then most likely it's just a coincidence and something else is at play.

    If you keep it set to Allowed, you could add the following firewall rules and monitor them to determine if there are still attempts to initiate inbound connections.

    Code:
    iptables -I INPUT -i tun11 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i tun11 -m state --state NEW -j ACCEPT
    I'm assuming OpenVPN client #1 (tun11), so change the network interface accordingly if it's client #2 (tun12), etc.

    Again, if the packet counts on either rule are > 0, then perhaps there's some relevance (although I would need more information to determine what that was, e.g., tcpdump).
     
  12. Val D.

    Val D. Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    220
    It is working now, same server. I'm going to leave it as Blocked and monitor the connection.