How to block DHCP protocol over a TAP site-to-site VPN (useful if you host separate DHCP subnet ranges at each site as part of a superset subnet)

seabass

New Around Here
Crafted for an Asus router with Merlin firmware.

Enable SSH access to your router (administration/system)
**I don't recommend exposing SSH access to the internet unless you are really comfortable with the risk.

Enable JFFS custom scripts in router (admin/system page)

This example is tailored for a TAP VPN tunnel running on "server 1" (hence "tap21" in the script)

ssh [email protected]<your router IP>
cd /jffs/scripts
ls

(your folder is probably empty)

Create a new file named "openvpn-event" using vi or nano with the script code found below...

Make sure the script file is executable with:

chmod a+rx /jffs/scripts/*

Reboot the router, look in the system log (copy to notepad or similar for easier searching) for logger events of the form "VPN event for:"

e.g. "VPN event for: up", then you know it's working :)

--

#!/bin/sh
#Go here for integration instructions: https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts
#Go here for how-to instructions: https://superuser.com/questions/1141983/how-to-stop-dhcp-traffic-via-openvpn-bridge
echo "Begin DHCP block over TAP interface"
logger -s "TAP DHCP blocker"
#remove existing rules by exact pattern match (note: keep both blocks in sync if experimenting)
type=$script_type
[ -z "$type" ] && type="EmptyType"
logger -s "VPN event for:" $type

#if [ $type = 'down' ]; then
ebtables -D FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -D FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -D INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -D OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
#fi
#add new rules
#if [ $type = 'up' ]; then
ebtables -I FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
#fi
echo "End DHCP block over TAP interface"
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top