Is it Possible to limit OpenVPN connect time?

[Martineau]

Just a quick reply. I am not at home right now.

Yes, I have enabled the custom scripts in Merlin.

I will test the script when I get home. But I am still confused about what you mean.
Can you give me a example how to setup the cru command with the script.
I have created 2 test accounts in my VPN server now, "vpnuserA" and "vpnuserB"
How should I use one cru command to check both these accounts?
do you mean like

/jffs/scripts/LimitOVPNSession.sh vpnuser1 enforce server /jffs/scripts/LimitOVPNSession.sh vpnuser2 enforce server

just repeat for all users but in one line?

Did you alter the script to hardcode the USERNAMEs to monitor as instructed in post #13

i.e.

Is it Possible to limit OpenVPN connect time?

Hi, I am using 386.11 Merlin on RT-AC66U B1. I enable the VPN server1 on my router. Is it possible to limited the connection time for security reason? For example, It will force to disconnect the client after 5 mins no mater if it's still using or not. I only need to use my home ip in some...

www.snbforums.com

Issue the following command to see if you get the same response

grep -F '"$USERNAME" == "$LIMIT_USER"' /jffs/scripts/LimitOVPNSession.sh

                if [ "$USERNAME" == "$LIMIT_USER" ];then

If the response is returned then you need a new version of the script that allows your cron job to pass the list of USERNAMEs to monitor

i.e. replace line:

if [ "$USERNAME" == "$LIMIT_USER" ];then

with with two lines:

LIMIT_USER=$(echo "$LIMIT_USER" | tr ',' ' ')                    # Allow CSV list of users to check
if [ -n "$(echo "$LIMIT_USER" | grep -oE "$USERNAME\s")" ];then

then you have one cron job and you pass the list of USERNAMEs you want monitored.

e.g.

cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh 'vpnuserA,vpnuserB' enforce server"

 

[btsucker]

Did you alter the script to hardcode the USERNAMEs to monitor as instructed in post #13

Yes I did.
Right now I modify it like this

if [ "$USERNAME" == "vpnuser1" ] || [ "$USERNAME" == "vpnuser2" ] || [ "$USERNAME" == "vpnuser3" ] || [ "$USERNAME" == "vpnuser4" ];then

like you suggested in post #13
But I think what you changed in post#21 is better.

If I understand it right, this will allow the script to get the username I gave when I run the script. So if I ever change the VPN user accounts in the future, I don't need to edit the script. I just change the username in the corn job, right?

 

[Martineau]

Yes I did.
Right now I modify it like this

if [ "$USERNAME" == "vpnuser1" ] || [ "$USERNAME" == "vpnuser2" ] || [ "$USERNAME" == "vpnuser3" ] || [ "$USERNAME" == "vpnuser4" ];then

like you suggested in post #13
But I think what you changed in post#21 is better.

If I understand it right, this will allow the script to get the username I gave when I run the script. So if I ever change the VPN user accounts in the future, I don't need to edit the script. I just change the username in the corn job, right?

Correct

 

[btsucker]

Correct

OK I think I manage to make the cron job work.

I add the cru line to the /jffs/scripts/services-start file. After reboot, "cru l" shows #LimitOVPNSession# is running on the top of the list. I don't know if this is the proper way to do it, but somehow it works.

Can I "rm" the init-start file or leave it as a empty file?


Now I am working on the VPNClientConnect.sh script in your post#11. I saw you set the MAX_CLIENTS=999. Should I change it to "2" to more fit to my need?

 

[Martineau]

OK I think I manage to make the cron job work.

I add the cru line to the /jffs/scripts/services-start file. After reboot, "cru l" shows #LimitOVPNSession# is running on the top of the list. I don't know if this is the proper way to do it, but somehow it works.

I have successfully used init-start for many years for creating cron jobs but services-start is also a valid choice i.e. both are only called once during the boot process so duplicates are not created.

Can I "rm" the init-start file or leave it as a empty file?

You may delete init-start if it is empty

Now I am working on the VPNClientConnect.sh script in your post#11. I saw you set the MAX_CLIENTS=999. Should I change it to "2" to more fit to my need?

You can dynamically control the MAX users from the command line (or another script) by setting the NVRAM variable for the appropriate server:

e.g. OpenVPN server 1

nvram get MyMaximumclientsovpn1

nvram set MyMaximumclientsovpn1=2

This could also be exploited by the LimitOVPNSession.sh script. i.e. there isn't a method for the OpenVPN server to pass a code back to the client stating why they have been denied access.

So as I alluded to previously, restarting the server (by default) allows the terminated client(s) to immediately re-establish their session (persistent TUN) so you could temporarily block ALL auto-reconnections by setting the MAX users to 0, or even better temporarily use LimitOVPNSession.sh to deny only the user that has exceed their time limit thereby giving a different user a chance to legitimately connect.

 

[btsucker]

I have successfully used init-start for many years for creating cron jobs but services-start is also a valid choice i.e. both are only called once during the boot process so duplicates are not created.

You may delete init-start if it is empty

You can dynamically control the MAX users from the command line (or another script) by setting the NVRAM variable for the appropriate server:

e.g. OpenVPN server 1

nvram get MyMaximumclientsovpn1

nvram set MyMaximumclientsovpn1=2

This could also be exploited by the LimitOVPNSession.sh script. i.e. there isn't a method for the OpenVPN server to pass a code back to the client stating why they have been denied access.

So as I alluded to previously, restarting the server (by default) allows the terminated client(s) to immediately re-establish their session (persistent TUN) so you could temporarily block ALL auto-reconnections by setting the MAX users to 0, or even better temporarily use LimitOVPNSession.sh to deny only the user that has exceed their time limit thereby giving a different user a chance to legitimately connect.

Sorry for not responding for many days. I got flu and also hurt my back. basically I can't do anything for the last week.

Edit: My first question seems to solved. Now the script will accept the user name I gave and check those users if they connect to the VPN for over 5 mins. I probably did something silly again in my early test.

1.
Anyway, allow me to go back a little first. I edited the LimitOVPNSession.sh according to your post#21 and try to run like this

/jffs/scripts/LimitOVPNSession.sh vpnuser1 enforce server

It does show the user who is currently connect to VPN, but did not respond with the active time. It doesn't seems to do the 5 mins count down and restart the server anymore.
It respond like this

(LimitOVPNSession.sh): 7342 CLIENT_LIST,client,112.78.73.240:60747,10.8.0.2,,235960,644657,2023-06-07-15:33:31,1686123211,vpnuser1,1,1,CHACHA20-POLY1305


killall: vpnserver2: no process killed
grep: /etc/openvpn/server2/status: No such file or directory

I am not sure if I run the script wrong? or the code I edited is wrong?
I paste my current LimitOVPNSession.sh here just in case.

#!/bin/sh
VER="0.99Alpha1"




# FUNCTIONS
# =========
Say(){
   echo -e $$ $@ | /usr/bin/logger -st "($(basename $0))"
}




#########################################################Main#############################################
Main() { true; }            # Syntax that is Atom Shellchecker compatible!


# cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh SGS8 enforce server"


LIMIT_USER=$1            # User to be time limited on ANY server for
TIME_LIMIT=300            # Max 5 mins


ENFORCE=$2
BOUNCE_SERVER=$3


for VPN_ID in 1 2
    do
 
        # Request the server to dump current stats to its repository '/etc/openvpn/server${VPN_ID}/status'  - unfortunately also to Syslog
        killall -USR2 vpnserver$VPN_ID
     
        #sleep 1        # Not necessary but status file contents surely should be refesh by now!
     
        # Get ALL connected clients and check connected time
        for LINE in $(grep -E "^CLIENT_LIST" /etc/openvpn/server${VPN_ID}/status | tr ' ' '-')
            do
                Say $LINE
                USERNAME=$(echo $LINE | awk 'BEGIN { FS=","} {print $10}')
                CONNECT_TIME=$(echo $LINE | awk 'BEGIN { FS=","} {print $9}')
             
                NOW=$(date +%s)
                DURATION=$((NOW-CONNECT_TIME))


                # 'limit [enforce]' syntax is very crude without the Management Interface.
                # Terminating a USERNAME or one of its connections is tricky
                #
                # Revoking a certificate for a misbehaving client together with 'disable' in CCD would have to be in sequence
                LIMIT_USER=$(echo "$LIMIT_USER" | tr ',' ' ')                    # Allow CSV list of users to check
                  if [ -n "$(echo "$LIMIT_USER" | grep -oE "$USERNAME\s")" ];then          
                    if [ $DURATION -gt $TIME_LIMIT ];then
                        Say "VPN Server $VPN_ID Client user '$USERNAME' Session duration EXCEEDS $TIME_LIMIT second session threshold limit! - Action=${ENFORCE} $BOUNCE_SERVER"
                        if [ -n "$ENFORCE" ];then
                            if [ -n "$BOUNCE_SERVER" ];then
                                killall -SIGUSR1 vpnserver${VPN_ID}    # Bounce the server!  - but client will immediately auto reconnect?
                            else
                                killall $USERNAME        # Sadly this doesn't work
                            fi
                        fi
                    else
                        Say "VPN Server $VPN_ID Client user '$USERNAME' Session has been ACTIVE for $(date -d @"$DURATION" "+%T")"
                    fi
                fi
            done
    done




exit 0

2.
I use

nvram set MyMaximumclientsovpn1=2

to set the max user as 2. But I am not sure how to temporarily use LimitOVPNSession.sh to punish only the user that violate the time limit. I did tried to set it to 0 and it did block all users.

 

[Martineau]

Anyway, allow me to go back a little first. I edited the LimitOVPNSession.sh according to your post#21 and try to run like this

/jffs/scripts/LimitOVPNSession.sh vpnuser1 enforce server

It does show the user who is currently connect to VPN, but did not respond with the active time. It doesn't seems to do the 5 mins count down and restart the server anymore.
It respond like this

(LimitOVPNSession.sh): 7342 CLIENT_LIST,client,112.78.73.240:60747,10.8.0.2,,235960,644657,2023-06-07-15:33:31,1686123211,vpnuser1,1,1,CHACHA20-POLY1305


killall: vpnserver2: no process killed
grep: /etc/openvpn/server2/status: No such file or directory

I am not sure if I run the script wrong? or the code I edited is wrong?

Whoops....my bad!

The script was altered to allow you to pass a list of users to be monitored....

e.g. the following would successfully monitor both users and restart the server if ONE was found to have exceeded the session duration limit.

/jffs/scripts/LimitOVPNSession.sh "vpnuser1,vpuser2" enforce server

However if you only pass one user then it is never monitored - unless you pass the single username with a trailing space

e.g. try this

/jffs/scripts/LimitOVPNSession.sh "vpnuser1    " enforce server

I'm travelling at the moment so will provide a patch to the script to fix the errors (i.e. no point in sending killall if OVPN server 2 isn't UP! ) when I can.

EDIT: 08 June 2023 Updated 'LimitOVPNSession.sh' in #post 10

 

[Martineau]

2. I am not sure how to temporarily use LimitOVPNSession.sh to punish only the user that violate the time limit.

You will need to create a repository in which to store OVPN Server usernames that you have deemed need to be punished for violating session time limits.

NVRAM can be a scarce/limited resource so rather than save the usernames in NVRAM, it is probably better to use /jffs (or /tmp if you don't want the repository to persist over a reboot - but you would need to replace the pathname in ALL of the scripts)

So manually create the persistent repository '/jffs/configs/BlockedVPN?_Users'

e.g. for OVPN Server 1

echo -e "# OVPN usernames that are BLOCKED/REVOKED/DENIED access to OVPN Server 1" > /jffs/configs/BlockedVPN1_Users

Now manually add a naughty user to the repository

e.g. vpnuser9 but we need to enure that the user isn't already in the repository (to prevent unnecessary duplicate line entries)

if [ -f /jffs/configs/BlockedVPN1_Users ] && [ -z "$(grep -o "vpnuser9" /jffs/configs/BlockedVPN1_Users)" ];then echo -e "vpnuser9" >> /jffs/configs/BlockedVPN1_Users;fi

Now manually list the users in the repository

cat /jffs/configs/BlockedVPN1_Users

# OVPN usernames that are BLOCKED/REVOKED/DENIED access to OVPN Server 1
vpnuser9

To manually remove vpnuser9 from the repository

sed -i '/^vpnuser9$/d' /jffs/configs/BlockedVPN1_Users

You now know how to manually manage the repository, it is simply a matter of adding this code clause to 'VPNClientConnect.sh' immediately after the check for the current number of connected clients.

# Is a user revoked?
if [ -f /jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users] && [ -n "$(grep -o "$username" /jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users)" ];then
    Say "VPN Server" $VPN_SERVER_ID "Client '$username' access revoked (see '/jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users')"
    STATUS="FAIL"                # Refuse the connection
    FAIL_REASON=91
fi

You will then have to decide how long the user should be on the 'naughty-step' for, and how you would invoke the automated removal of a blocked user from the repository.

i.e. in 'LimitOVPNSession.sh' I would start a background script '/jffs/scripts/UnRevokeOVPN_User.sh' to run say 10 minutes after the user has been added to the repository which executes the sed command to remove the user from the repository.


'/jffs/scripts/UnRevokeOVPN_User.sh'

#!/bin/sh
VER="00.99A1"

Say(){
   echo -e $$ $@ | logger -st "($(basename $0))"
}
SayT(){
   echo -e $$ $@ | logger -t "($(basename $0))"
}

WAITFOR=$2
[ -z "$WAITFOR" ] && WAITFOR=600    # default 600 seconds if not specified

Say "Sleeping for $WAITFOR seconds for '$1'"
sleep $WAITFOR

Say "Removing '$1' from '/jffs/configs/BlockedVPN1_Users'"
[ -f /jffs/configs/BlockedVPN1_Users ] && sed -i "/^$1$/d" /jffs/configs/BlockedVPN1_Users

Manually test (and make the script only wait for 10 seconds rather than its default 10 minutes!)

if [ -f /jffs/configs/BlockedVPN1_Users ] && [ -z "$(grep -o "vpnuser9" /jffs/configs/BlockedVPN1_Users)" ];then echo -e "vpnuser9" >> /jffs/configs/BlockedVPN1_Users;fi

/jffs/scripts/UnRevokeOVPN_User.sh vpnuser9 10 &

NOTE: I have updated the scripts in post #10 and post #11 but I cannot test the code because I am travelling.

 

[btsucker]

You will need to create a repository in which to store OVPN Server usernames that you have deemed need to be punished for violating session time limits.

NVRAM can be a scarce/limited resource so rather than save the usernames in NVRAM, it is probably better to use /jffs (or /tmp if you don't want the repository to persist over a reboot - but you would need to replace the pathname in ALL of the scripts)

So manually create the persistent repository '/jffs/configs/BlockedVPN?_Users'

e.g. for OVPN Server 1

echo -e "# OVPN usernames that are BLOCKED/REVOKED/DENIED access to OVPN Server 1" > /jffs/configs/BlockedVPN1_Users

Now manually add a naughty user to the repository

e.g. vpnuser9 but we need to enure that the user isn't already in the repository (to prevent unnecessary duplicate line entries)

if [ -f /jffs/configs/BlockedVPN1_Users ] && [ -z "$(grep -o "vpnuser9" /jffs/configs/BlockedVPN1_Users)" ];then echo -e "vpnuser9" >> /jffs/configs/BlockedVPN1_Users;fi

Now manually list the users in the repository

cat /jffs/configs/BlockedVPN1_Users

# OVPN usernames that are BLOCKED/REVOKED/DENIED access to OVPN Server 1
vpnuser9

To manually remove vpnuser9 from the repository

sed -i '/^vpnuser9$/d' /jffs/configs/BlockedVPN1_Users

You now know how to manually manage the repository, it is simply a matter of adding this code clause to 'VPNClientConnect.sh' immediately after the check for the current number of connected clients.

# Is a user revoked?
if [ -f /jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users] && [ -n "$(grep -o "$username" /jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users)" ];then
    Say "VPN Server" $VPN_SERVER_ID "Client '$username' access revoked (see '/jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users')"
    STATUS="FAIL"                # Refuse the connection
    FAIL_REASON=91
fi

You will then have to decide how long the user should be on the 'naughty-step' for, and how you would invoke the automated removal of a blocked user from the repository.

i.e. in 'LimitOVPNSession.sh' I would start a background script '/jffs/scripts/UnRevokeOVPN_User.sh' to run say 10 minutes after the user has been added to the repository which executes the sed command to remove the user from the repository.


'/jffs/scripts/UnRevokeOVPN_User.sh'

#!/bin/sh
VER="00.99A1"

Say(){
   echo -e $$ $@ | logger -st "($(basename $0))"
}
SayT(){
   echo -e $$ $@ | logger -t "($(basename $0))"
}

WAITFOR=$2
[ -z "$WAITFOR" ] && WAITFOR=600    # default 600 seconds if not specified

Say "Sleeping for $WAITFOR seconds for '$1'"
sleep $WAITFOR

Say "Removing '$1' from '/jffs/configs/BlockedVPN1_Users'"
[ -f /jffs/configs/BlockedVPN1_Users ] && sed -i "/^$1$/d" /jffs/configs/BlockedVPN1_Users

Manually test (and make the script only wait for 10 seconds rather than its default 10 minutes!)

if [ -f /jffs/configs/BlockedVPN1_Users ] && [ -z "$(grep -o "vpnuser9" /jffs/configs/BlockedVPN1_Users)" ];then echo -e "vpnuser9" >> /jffs/configs/BlockedVPN1_Users;fi

/jffs/scripts/UnRevokeOVPN_User.sh vpnuser9 10 &

NOTE: I have updated the scripts in post #10 and post #11 but I cannot test the code because I am travelling.

thank you so much for your response.

just a quick reply. not fully test yet.

the new script in post#10

TIME_LIMIT=60            # Max 5 mins

should it be 600 or 300 to meet the 5 mins need?

 

[btsucker]

new update:

OK partially works.

I tried to login as vpnuser1 and stayed longer than 5 mins. I manually run

/jffs/scripts/LimitOVPNSession.sh "vpnuser1,vpnuser2" enforce server

it did show that vpnuser1 active time is over 300 sec and restart the VPN server.

I run

cat BlockedVPN1_Users

it returns with "vpnuser1", so the user is on the block list.
But when I tried to login as vpnuser1 again, it didn't stop me. I can still login as vpnuser1.
I also tried to manually add "vpnuser2" into BlockedVPN1_Users and login as vpnuser2. It didn't stop me either.


Oh I set the cool down time for the naughty user to 5 mins. And after 5 min it did remove user1 from the block list.

 

[Martineau]

thank you so much for your response.

just a quick reply. not fully test yet.

the new script in post#10

TIME_LIMIT=60            # Max 5 mins

should it be 600 or 300 to meet the 5 mins need?

300 secs for 5 mins.

Clearly for testing (when I was able) I set the limit to 1 min and that's the version that I had saved to my laptop )

 

[Martineau]

I run

cat BlockedVPN1_Users

it returns with "vpnuser1", so the user is on the block list.
But when I tried to login as vpnuser1 again, it didn't stop me. I can still login as vpnuser1.
I also tried to manually add "vpnuser2" into BlockedVPN1_Users and login as vpnuser2. It didn't stop me either.

Whoops! - there is a typo in this line (there is a missing space character before the first ']')

if [ -f /jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users] && [ -n "$(grep -o "$username" /jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users)" ];then   # Patch Alpha2

I have now patched the script in post #11 so grab the new script and please retry

 

[btsucker]

Whoops! - there is a typo in this line (there is a missing space character before the first ']')

if [ -f /jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users] && [ -n "$(grep -o "$username" /jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users)" ];then   # Patch Alpha2

I have now patched the script in post #11 so grab the new script and please retry

Yes! It works now.

After adding

cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh "vpnuser1,vpnuser2,vpnuser3,vpnuser4" enforce server"

into services-start

Now if any of the above 4 users stays too long it will restart the VPN server and ban the naughty user for 5 mins.
The other users are not effected. They are still able to login to the VPN(after the server restart).
Thank you so much for helping me. I am really grateful for your help.

Just a last question here. If I update the Merlin firmware in the future, all these scripts and settings will remain as long as I didn't do a factory reset or hard reset, right?

I will backup all the scripts and probably the whole thread just in case I need to do it all over again.

 

[Martineau]

Yes! It works now.

After adding

cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh "vpnuser1,vpnuser2,vpnuser3,vpnuser4" enforce server"

into services-start

Now if any of the above 4 users stays too long it will restart the VPN server and ban the naughty user for 5 mins.
The other users are not effected. They are still able to login to the VPN(after the server restart).
Thank you so much for helping me. I am really grateful for your help.

No problem, but clearly my scripting skills are rapidly dwindling (if I ever had any) having been embarrassed by the lack of a couple of couple of space characters.

Note: I may try and revisit the OpenVPN Management interface to see if the OpenVPN kill command can target a specific client rather than have to bounce the whole server.

Thanks for tolerating my non OpenVPN CCD solution, where each client has its own repository per server

e.g. For client SGS8 connecting to OpenVPN Server 1 I create the following custom file as input to the OpenVPN CCD process

'/jffs/configs/openvpn/ccd1/client_SGS8'

One benefit of using CCD is that you can include the following directive in the OpenVPN Server configuration

--ccd-exclusive
	Require, as a condition of authentication, that a connecting client has a --client-config-dir file.

providing a little extra security.

My 'VPNClientConnect.sh' script runs to nearly 1000 lines and allows me to to control access to the server per client

e.g. Access Control options for SGS8

# Custom CCD directives for single common name 'client' user SGS8

# User SGS8 is denied connectivity/access to OpenVPN Servers
# NOTE: 'accessdenied' is NOT a valid OpenVPN directive,
#accessdenied

# Assign static I/P xxx.xxx.xxx.88 (Normally xxx.xxx.xxx=10.8.0 for VPN Server 1, and xxx.xxx.xxx=10.16.0 for VPN Server 2)
# NOTE: 'staticip' is NOT a valid OpenVPN directive, but it is an easy to remember psuedo command short-cut!
staticip 88

# User SGS8 will pass-through the router direct via VPN Client 1 (ovpnc1)
# NOTE: 'passthru' is NOT a valid OpenVPN directive,
#passthru 1

# User SGS8 cannot override DNS
# NOTE: 'forcedns' is NOT a valid OpenVPN directive,
#forcedns 8.8.4.4

# User SGS8 cannot access WAN only LAN resources
#      Optionally only allow access to specific LAN
# NOTE: 'lanonly' is NOT a valid OpenVPN directive,
#lanonly
# e.g. both NAS servers, both PS3s and ALL cameras
#lanonly 10.88.8.195 10.88.8.197 10.88.8.142-10.88.8.143 10.88.8.126 CAMERAS

# User SGS8 wants to ensure LAN device(s) UP
# NOTE: 'wol' is NOT a valid OpenVPN directive,
#      e.g. DS-416J NAS
wol 00:11:32:4a:81:c9
#      e.g. DS-110J NAS (00:11:32:07:77:e7)
wol 10.88.8.195

# User SGS8 may ONLY connect from external WAN
#blocklocal

# User SGS8 may ONLY connect from listed IP addresses - not really useful for mobile devices?
#allowip 1.2.3.4 5.6.7.8 55.55.55.55

# User SGS8 cannot connect from listed IP addresses - not really useful for mobile devices?
#blockip 4.3.2.1 8.7.6.5
#blockip 213.205.198.18

# Restricted access hours
# NOTE: 'restrictperiod' is NOT a valid OpenVPN directive,
restrictperiod 00:59-05:00

# Limit Session to hh:mm:ss
# NOTE: 'limitsession' is NOT a valid OpenVPN directive,
limitsession 01:00:00

# Limit Data Received to n[GMK]
# NOTE: 'limitRX' is NOT a valid OpenVPN directive,
limitRX 10M

# Limit Data Transmitted to n[GMK]
# NOTE: 'limitTX' is NOT a valid OpenVPN directive,
limitTX 10M

Perhaps these may prompt you to write your own access conditions.

Just a last question here. If I update the Merlin firmware in the future, all these scripts and settings will remain as long as I didn't do a factory reset or hard reset, right?

Usually yes, but there are reported instances where /jffs inexplicably can go bad, and a /jffs reformat is the only way to fix it.