Firewall Setting TFM for OpenVPN

[Kevin K]

On the OpenVPN server advanced settings page, there is a "Firewall" setting which can be Automatic, External Only, or Custom.

Can someone point me to the doc for exactly what these values mean?

(I understand that they control the firewall settings used by OpenVPN server. I'm looking for the details. e.g. "Setting it to Custom will cause the following changes to be applied...")

 

[skeal]

On the OpenVPN server advanced settings page, there is a "Firewall" setting which can be Automatic, External Only, or Custom.

Can someone point me to the doc for exactly what these values mean?

(I understand that they control the firewall settings used by OpenVPN server. I'm looking for the details. e.g. "Setting it to Custom will cause the following changes to be applied...")

This is a great resource to use with OVPN settings:

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

 

[Kevin K]

Thanks. That's true for the entries on the router OpenVPN server config page which directly map to OpenVPN settings. e.g. Server Port on the settings page is pretty clearly the same thing as the port number in the OpenVPN config.

I could be mistaken, but doesn't the Firewall setting on the config page cause router config scripts to update /tmp/etc/openvpn/fw/server1-fw.sh? I don't think the OpenVPN doc describes the config which is outside of the OpenVPN product.

 

[RMerlin]

"Auto" means the firmware takes care of creating every required firewall rules, NAT rules for the tunnel, etc...

"Custom" means nothing is configured by the router, you have to do everything yourself manually.

"External" will block LAN access I believe (not 100% sure, I didn't write that code, I merely ported it as-is from the original Tomato code).

Try to find some older Tomato docs, it might better describe what each of these does. It's one of those settings that I feel shouldn't be there, but I decided to keep to remain as close as possible to the original Tomato implementation and all of its existing documentation. Some of these might be eventually retired as they serve useful purpose, and Asuswrt-Merlin's implementation now has its own documentation and support from VPN tunnel providers.

Revising OpenVPN configuration is something I have planned for the future, if I can ever finalize catching up on Asus's recent GPL releases.

 

[Martineau]

"Auto" means the firmware takes care of creating every required firewall rules, NAT rules for the tunnel, etc...

"Custom" means nothing is configured by the router, you have to do everything yourself manually.

"External" will block LAN access I believe (not 100% sure, I didn't write that code, I merely ported it as-is from the original Tomato code).

Try to find some older Tomato docs, it might better describe what each of these does. It's one of those settings that I feel shouldn't be there, but I decided to keep to remain as close as possible to the original Tomato implementation and all of its existing documentation. Some of these might be eventually retired as they serve useful purpose, and Asuswrt-Merlin's implementation now has its own documentation and support from VPN tunnel providers.

Revising OpenVPN configuration is something I have planned for the future, if I can ever finalize catching up on Asus's recent GPL releases.

On my RT-AC68U running Firmware v384.4_Beta1 there are only two options???

Firewall=Automatic or Firewall=Custom

and v384.xx has also altered the way the iptable chains are used.

i.e. this new FORWARD chain is used to hold (surprise surprise!) VPN related rules

Chain OVPN (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0          
2        0     0 ACCEPT     all  --  tun12  *       0.0.0.0/0            0.0.0.0/0          
3        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0          
4        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0

and in Firewall=Automatic mode will contain an entry for each active VPN Client/Server interface.

However, in Firewall=Custom mode the entry for the VPN Client interface is missing
i.e. the table shown above does not contain an entry for tun15 even though VPN Client 5 is indeed UP and connected.

Two other rules are similarly also missing in Firewall=Custom mode

-t mangle

-A PREROUTING -i tun15 -j MARK --set-xmark 0x1/0x7

-t nat

-A POSTROUTING -s $LAN/24 -o tun15 -j MASQUERADE

 

[RMerlin]

On my RT-AC68U running Firmware v384.4_Beta1 there are only two options???

External is only for server mode (since it relates to LAN access from connected clients).

However, in Firewall=Custom mode the entry for the VPN Client interface is missing

In custom mode, no firewall rules are created - they're expected to be done by the user.

https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/openvpn.c#L433

 

[roger-]

I’m using a fresh install of 384.5 on a 68U (the firewall options were apparently removed in this version) and I’m having trouble connecting to the VPN server running on my router.

Do I still need to configure some firewall settings?

EDIT: apparently it works when I try to connect from the WAN but not from the LAN.