iptables entries not run from openvpn-event on reboot

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

GoldenEye

New Around Here
I'm running version 384.17 of Asuswrt-Merlin on an RT-AC66U_B1, I have an openvpn-event script in /jffs/scripts that uses a template that calls a vpnserver1-up and vpnserver1-down script. These up and down scripts contain custom rules I add to the iptables, the first and most important being the following to remove the entry "OVPN -d 192.168.18.0/24 -i tun21 -j ACCEPT" for global access to the network on vpnserver1 using the commnd "iptables -D OVPN -d $subnet.0/24 -i $dev -j ACCEPT"

I can see through the logging that the scripts get run on a router reboot and when restarting the vpn server through the UI, the problem is that the iptables changes seem only to be applied when I restart the vpn server manually in the UI, if I reboot the router the changes don't get applied despite seeing my log entry that the script was run.

Wondering if anyone might have some ideas on a solution or way to further debug this?

Thanks.
 

SomeWhereOverTheRainBow

Very Senior Member
I'm running version 384.17 of Asuswrt-Merlin on an RT-AC66U_B1, I have an openvpn-event script in /jffs/scripts that uses a template that calls a vpnserver1-up and vpnserver1-down script. These up and down scripts contain custom rules I add to the iptables, the first and most important being the following to remove the entry "OVPN -d 192.168.18.0/24 -i tun21 -j ACCEPT" for global access to the network on vpnserver1 using the commnd "iptables -D OVPN -d $subnet.0/24 -i $dev -j ACCEPT"

I can see through the logging that the scripts get run on a router reboot and when restarting the vpn server through the UI, the problem is that the iptables changes seem only to be applied when I restart the vpn server manually in the UI, if I reboot the router the changes don't get applied despite seeing my log entry that the script was run.

Wondering if anyone might have some ideas on a solution or way to further debug this?

Thanks.
you need the rules also for nat-start or firewall-start to properly ensure rules don't get skipped between reboots simply add your vpnserver1-up script to either nat-start or firewall-start should resolve this issue.
 

GoldenEye

New Around Here
you need the rules also for nat-start or firewall-start to properly ensure rules don't get skipped between reboots simply add your vpnserver1-up script to either nat-start or firewall-start should resolve this issue.
I gave a try using both of these, but the same behavior seems to persist regardless of which script I run from and according to the log the openvpn-event is being run before the nat-start or firewall start which seems strange.

I was however able to glean another point of info, switching back to using openvpn-event which used to work, after a reboot I quickly connected via Putty to run iptables -S, doing this several times in succession over about a minute I was able to see that the rules actually did get applied, but them for some reason were wiped again shortly after with everything being put back to default.

Additionally I do have the VPN server being connected to by a client after reboot and am also connecting as a client to another server and can see some of this as the first logged events on reboot. I'm not sure if there could be a bug in the mix here causing scripts to trigger early, as I was quite sure this all worked at least some versions back.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top