1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

iptables entries not run from openvpn-event on reboot

Discussion in 'Asuswrt-Merlin' started by GoldenEye, Jun 4, 2020.

  1. GoldenEye

    GoldenEye New Around Here

    Joined:
    Jan 14, 2018
    Messages:
    4
    I'm running version 384.17 of Asuswrt-Merlin on an RT-AC66U_B1, I have an openvpn-event script in /jffs/scripts that uses a template that calls a vpnserver1-up and vpnserver1-down script. These up and down scripts contain custom rules I add to the iptables, the first and most important being the following to remove the entry "OVPN -d 192.168.18.0/24 -i tun21 -j ACCEPT" for global access to the network on vpnserver1 using the commnd "iptables -D OVPN -d $subnet.0/24 -i $dev -j ACCEPT"

    I can see through the logging that the scripts get run on a router reboot and when restarting the vpn server through the UI, the problem is that the iptables changes seem only to be applied when I restart the vpn server manually in the UI, if I reboot the router the changes don't get applied despite seeing my log entry that the script was run.

    Wondering if anyone might have some ideas on a solution or way to further debug this?

    Thanks.
     
  2. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Very Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    1,225
    you need the rules also for nat-start or firewall-start to properly ensure rules don't get skipped between reboots simply add your vpnserver1-up script to either nat-start or firewall-start should resolve this issue.
     
  3. GoldenEye

    GoldenEye New Around Here

    Joined:
    Jan 14, 2018
    Messages:
    4
    I gave a try using both of these, but the same behavior seems to persist regardless of which script I run from and according to the log the openvpn-event is being run before the nat-start or firewall start which seems strange.

    I was however able to glean another point of info, switching back to using openvpn-event which used to work, after a reboot I quickly connected via Putty to run iptables -S, doing this several times in succession over about a minute I was able to see that the rules actually did get applied, but them for some reason were wiped again shortly after with everything being put back to default.

    Additionally I do have the VPN server being connected to by a client after reboot and am also connecting as a client to another server and can see some of this as the first logged events on reboot. I'm not sure if there could be a bug in the mix here causing scripts to trigger early, as I was quite sure this all worked at least some versions back.