Crafted for an Asus router with Merlin firmware.
Enable SSH access to your router (administration/system)
**I don't recommend exposing SSH access to the internet unless you are really comfortable with the risk.
Enable JFFS custom scripts in router (admin/system page)
This example is tailored for a TAP VPN tunnel running on "server 1" (hence "tap21" in the script)
ssh admin@<your router IP>
cd /jffs/scripts
ls
(your folder is probably empty)
Create a new file named "openvpn-event" using vi or nano with the script code found below...
Make sure the script file is executable with:
chmod a+rx /jffs/scripts/*
Reboot the router, look in the system log (copy to notepad or similar for easier searching) for logger events of the form "VPN event for:"
e.g. "VPN event for: up", then you know it's working
--
#!/bin/sh
#Go here for integration instructions: https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts
#Go here for how-to instructions: https://superuser.com/questions/1141983/how-to-stop-dhcp-traffic-via-openvpn-bridge
echo "Begin DHCP block over TAP interface"
logger -s "TAP DHCP blocker"
#remove existing rules by exact pattern match (note: keep both blocks in sync if experimenting)
type=$script_type
[ -z "$type" ] && type="EmptyType"
logger -s "VPN event for:" $type
#if [ $type = 'down' ]; then
ebtables -D FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -D FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -D INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -D OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
#fi
#add new rules
#if [ $type = 'up' ]; then
ebtables -I FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
#fi
echo "End DHCP block over TAP interface"
Enable SSH access to your router (administration/system)
**I don't recommend exposing SSH access to the internet unless you are really comfortable with the risk.
Enable JFFS custom scripts in router (admin/system page)
This example is tailored for a TAP VPN tunnel running on "server 1" (hence "tap21" in the script)
ssh admin@<your router IP>
cd /jffs/scripts
ls
(your folder is probably empty)
Create a new file named "openvpn-event" using vi or nano with the script code found below...
Make sure the script file is executable with:
chmod a+rx /jffs/scripts/*
Reboot the router, look in the system log (copy to notepad or similar for easier searching) for logger events of the form "VPN event for:"
e.g. "VPN event for: up", then you know it's working
--
#!/bin/sh
#Go here for integration instructions: https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts
#Go here for how-to instructions: https://superuser.com/questions/1141983/how-to-stop-dhcp-traffic-via-openvpn-bridge
echo "Begin DHCP block over TAP interface"
logger -s "TAP DHCP blocker"
#remove existing rules by exact pattern match (note: keep both blocks in sync if experimenting)
type=$script_type
[ -z "$type" ] && type="EmptyType"
logger -s "VPN event for:" $type
#if [ $type = 'down' ]; then
ebtables -D FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -D FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -D INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -D OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
#fi
#add new rules
#if [ $type = 'up' ]; then
ebtables -I FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
#fi
echo "End DHCP block over TAP interface"
