Mysterious firewall rule and OpenVPN server

[DrPozo]

I have one OpenVPN server running on my RT-AC68U Asuswrt-Merlin router. I found that this OpenVPN server config put a rule on my firewall that caused a problem, so I deleted it and that fixed my problem. So now my question is: What is the purpose of this firewall rule for OpenVPN server?

iptables -t nat -I PREROUTING -p tcp --dport 1194 -j ACCEPT

My problem was that when I changed the OpenVPN server port from 1194 to 443, it broke my TOR transparent proxy that is also running on the router. So, for my purposes, the OpenVPN server seems to work fine without this rule.

 

[RMerlin]

I'll have to take a look to see if there was a reason why this rule didn't specify any network interface. That rule was part of the original Tomato code I re-used when I implemented OpenVPN support.

 

[DrPozo]

A patch to remove this mysterious firewall rule from the firmware?

--- a/asuswrt-merlin-380.58/release/src-rt-6.x.4708/router/rc/openvpn.c        2016-03-20 15:45:51.000000000 -0600
+++ b/asuswrt-merlin-380.58/release/src-rt-6.x.4708/router/rc/openvpn.c 2016-03-26 09:00:10.478029658 -0600
@@ -1395,11 +1395,11 @@
                fprintf(fp, "#!/bin/sh\n");
                sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
                strncpy(&buffer[0], nvram_safe_get(&buffer[0]), BUF_SIZE);
-               fprintf(fp, "iptables -t nat -I PREROUTING -p %s ", strtok(&buffer[0], "-"));
-               sprintf(&buffer[0], "vpn_server%d_port", serverNum);
-               fprintf(fp, "--dport %d -j ACCEPT\n", nvram_get_int(&buffer[0]));
-               sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
-               strncpy(&buffer[0], nvram_safe_get(&buffer[0]), BUF_SIZE);
+//             fprintf(fp, "iptables -t nat -I PREROUTING -p %s ", strtok(&buffer[0], "-"));
+//             sprintf(&buffer[0], "vpn_server%d_port", serverNum);
+//             fprintf(fp, "--dport %d -j ACCEPT\n", nvram_get_int(&buffer[0]));
+//             sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
+//             strncpy(&buffer[0], nvram_safe_get(&buffer[0]), BUF_SIZE);
                fprintf(fp, "iptables -I INPUT -p %s ", strtok(&buffer[0], "-"));
                sprintf(&buffer[0], "vpn_server%d_port", serverNum);
                fprintf(fp, "--dport %d -j ACCEPT\n", nvram_get_int(&buffer[0]));

OR, choose the custom firewall configuration in the OpenVPN server WebUI, and then insert the rules into iptables, exactly where you want them. I put them just before "state INVALID". Then I can stack my other rules above the OpenVPN rules. Example:

/jffs/scripts/openvpn-event

#!/bin/sh
/usr/bin/logger -t $(/usr/bin/basename $0) "custom script started [$$]"
finish()  {
  /usr/bin/logger -t $(/usr/bin/basename $0) "custom script ended [$$]"
}
trap finish EXIT
local PARAM=$*

# dump the OpenVPN variables to temp file
set>/tmp/openvpn-variables.txt

# determine caller
local P1=$1

/usr/bin/logger -st "($(/usr/bin/basename $0))"  "Debug Caller="$1

case "$P1" in
        "tun11")
                local vpn_type="client"
                local vpn_name="client1"
                ;;
        "tun12")
                local vpn_type="client"
                local vpn_name="client2"
                ;;
        "tun13")
                local vpn_type="client"
                local vpn_name="client3"
                ;;
        "tun14")
                local vpn_type="client"
                local vpn_name="client4"
                ;;
        "tun15")
                local vpn_type="client"
                local vpn_name="client5"
                ;;
        "tun21")
                local vpn_type="server"
                local vpn_name="server1"
                local vpn_protocol=${proto_1%*-server}
                local vpn_server_port=$local_port_1
                ;;
        "tun22")
                local vpn_type="server"
                local vpn_name="server2"
                local vpn_protocol=${proto_2%*-server}
                local vpn_server_port=$local_port_2
                ;;
        *)
                local vpn_type=""
                local vpn_name=""
                ;;
esac

/usr/bin/logger -s -t "($(/usr/bin/basename $0))"  "VPN_name=$vpn_name , detected for dev=$dev, Script Type=$script_type"

update_rule()
{
  local CMD="$1"
  local CHAIN="$2"
  local RULE="$3"
  local ACTION="$4"
  local RULENUM="$5"

  [ "$ACTION" == "" ] && ACTION="insert"

  /usr/bin/logger -t $(/usr/bin/basename $0) "custom script update_rule \"$CMD\" \"$CHAIN\" \"$RULE\" \"$ACTION\" \"$RULENUM\" [$$]"
  #/bin/echo update_rule $CMD $CHAIN $RULE $ACTION $RULENUM

  if [ "${CMD#*iptables}" != "$CMD" ]; then

    if [ "$ACTION" == "append" ]; then
      $CMD -C $CHAIN $RULE > /dev/null 2>&1 || $CMD -A $CHAIN $RULE
    elif [ "$ACTION" == "insert" ]; then
      $CMD -C $CHAIN $RULE > /dev/null 2>&1 || $CMD -I $CHAIN $RULENUM $RULE
    elif [ "$ACTION" == "delete" ]; then
      $CMD -C $CHAIN $RULE > /dev/null 2>&1 && $CMD -D $CHAIN $RULE
    else
      /bin/echo "Invalid action."
    fi

  elif [ "${CMD#*ebtables}" != "$CMD" ]; then

    $CMD -D $CHAIN $RULE
    while [ $? == 0 ]; do
      $CMD -D $CHAIN $RULE
    done

    if [ "$ACTION" == "append" ]; then
      $CMD -A $CHAIN $RULE
    elif [ "$ACTION" == "insert" ]; then
      $CMD -I $CHAIN $RULENUM $RULE
    elif [ "$ACTION" != "delete" ]; then
      /bin/echo "Invalid action."
    fi

  fi
}


###############################################################################
# re-configure the firewall when starting or stopping a vpn server

if [ "$vpn_type" == "server" ]; then
  local RULE_FILTER_INPUT_1="-p $vpn_protocol --dport $vpn_server_port -j ACCEPT"
  local RULE_FILTER_INPUT_2="-i $dev -j ACCEPT"
  local RULE_FILTER_FORWARD="-i $dev -j ACCEPT"
  local RULE_MANGLE_PREROUTING="-i $dev -j MARK --set-mark 0x01/0x7"

  if [ "$script_type" == "up" ]; then

    local RuleNumFilterInput=$(/usr/sbin/iptables -nL INPUT --line-numbers | /bin/grep "state INVALID" | /usr/bin/cut -f1 -d' ')
    update_rule "/usr/sbin/iptables" "INPUT" "${RULE_FILTER_INPUT_1}" "insert" "${RuleNumFilterInput}"
    update_rule "/usr/sbin/iptables" "INPUT" "${RULE_FILTER_INPUT_2}" "insert" "${RuleNumFilterInput}"
 
    local RuleNumFilterForward=$(/usr/sbin/iptables -nL FORWARD --line-numbers | /bin/grep "state INVALID" | /usr/bin/cut -f1 -d' ')
    update_rule "/usr/sbin/iptables" "FORWARD" "${RULE_FILTER_FORWARD}" "insert" "${RuleNumFilterForward}"

    update_rule "/usr/sbin/iptables -t mangle" "PREROUTING" "${RULE_MANGLE_PREROUTING}" "insert"

  elif [ "$script_type" == "down" ]; then

    update_rule "/usr/sbin/iptables" "INPUT" "${RULE_FILTER_INPUT_1}" "delete"
    update_rule "/usr/sbin/iptables" "INPUT" "${RULE_FILTER_INPUT_2}" "delete"
    update_rule "/usr/sbin/iptables" "FORWARD" "${RULE_FILTER_FORWARD}" "delete"
    update_rule "/usr/sbin/iptables -t mangle" "PREROUTING" "${RULE_MANGLE_PREROUTING}" "delete"
 
  fi
fi

 

[RMerlin]

I don't want to just blindly remove it before I've figured out the reason why the rule was there (I'm sure Keith, the original author, had a reason for it).

A simpler workaround for you would be to just delete that rule from iptables from an openvpn-event script instead of manually reconfiguring the whole firewall yourself.