Need to Block DHCP from traveling across site-to-site TAP VPN Tunnel.

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

cfm56

Occasional Visitor
All,

I had this working at some time in the past where I had put in some commands into DD-WRT routers to block DHCP from traveling across our VPN tunnel (Open VPN\TAP).

Yes I realize that TAP is unpopular, and thus the reason I can't find this info. We basically need to function as 1 network across the tunnel... but I can't find how to block DHCP on the Asus Merlin firmware. Does anyone have that figured out?
 

cfm56

Occasional Visitor
All,

I had this working at some time in the past where I had put in some commands into DD-WRT routers to block DHCP from traveling across our VPN tunnel (Open VPN\TAP).

Yes I realize that TAP is unpopular, and thus the reason I can't find this info. We basically need to function as 1 network across the tunnel... but I can't find how to block DHCP on the Asus Merlin firmware. Does anyone have that figured out?


It used to be something like this in IPtables

ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &

I'm just unsure of if it's tap0 or not.
 

netware5

Very Senior Member
All,

I had this working at some time in the past where I had put in some commands into DD-WRT routers to block DHCP from traveling across our VPN tunnel (Open VPN\TAP).

Yes I realize that TAP is unpopular, and thus the reason I can't find this info. We basically need to function as 1 network across the tunnel... but I can't find how to block DHCP on the Asus Merlin firmware. Does anyone have that figured out?

I am using TAP since 2013. What exactly you want to do?
 

cfm56

Occasional Visitor
thanks netware...
Basically trying to keep DHCP from transversing the TAP OpenVPN tunnel to the other side. Both offices have their own DHCP server and I'm trying to block it from entering the tunnel. Thought I had this working at one point on DDWRT, but can't remember if I ever found a solution on Asus-Merlin. BTW, I do have the JFFS partition and am running some iptables scripts on there to support multiple IP's. Hope that helps... thanks for answering.
 

netware5

Very Senior Member
thanks netware...
Basically trying to keep DHCP from transversing the TAP OpenVPN tunnel to the other side. Both offices have their own DHCP server and I'm trying to block it from entering the tunnel. Thought I had this working at one point on DDWRT, but can't remember if I ever found a solution on Asus-Merlin. BTW, I do have the JFFS partition and am running some iptables scripts on there to support multiple IP's. Hope that helps... thanks for answering.

I think in your iptables command you should not use "tap0", try to use "tap21".
 

cfm56

Occasional Visitor
I think in your iptables command you should not use "tap0", try to use "tap21".
trying:

#Drop DHCP across VPN

ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
 

cfm56

Occasional Visitor
looks like that didn't work..still getting DHCP ACK responses from both DHCP servers... should I try TAP0? (See attached)
 

Attachments

  • dhcp.JPG
    dhcp.JPG
    21.6 KB · Views: 46

netware5

Very Senior Member
Look at syslog for entries logging OpenVPN start. On my router I see the following:
Code:
Apr 30 23:53:05 rc_service: service 2147:notify_rc restart_vpnserver1
Apr 30 23:53:05 custom_script: Running /jffs/scripts/service-event (args: restart vpnserver1)
Apr 30 23:53:05 ovpn-server1[2060]: Closing TUN/TAP interface
Apr 30 23:53:05 ovpn-server1[2060]: updown.sh tap21 1500 1655   init
Apr 30 23:53:05 ovpn-server1[2060]: SIGTERM[hard,] received, process exiting
Apr 30 23:53:05 ovpn-server1[2226]: OpenVPN 2.4.9 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 26 2020
Apr 30 23:53:05 ovpn-server1[2226]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.08
Apr 30 23:53:05 ovpn-server1[2227]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Apr 30 23:53:05 ovpn-server1[2227]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 30 23:53:05 ovpn-server1[2227]: Diffie-Hellman initialized with 4096 bit key
Apr 30 23:53:05 ovpn-server1[2227]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Apr 30 23:53:05 ovpn-server1[2227]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 30 23:53:05 ovpn-server1[2227]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Apr 30 23:53:05 ovpn-server1[2227]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 30 23:53:05 ovpn-server1[2227]: TUN/TAP device tap21 opened
Apr 30 23:53:05 ovpn-server1[2227]: TUN/TAP TX queue length set to 1000
Apr 30 23:53:05 ovpn-server1[2227]: updown.sh tap21 1500 1655   init
Apr 30 23:53:05 ovpn-server1[2227]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Apr 30 23:53:05 ovpn-server1[2227]: Socket Buffers: R=[87380->524288] S=[16384->524288]
Apr 30 23:53:05 ovpn-server1[2227]: Listening for incoming TCP connection on [AF_INET][undef]:443
Apr 30 23:53:05 ovpn-server1[2227]: TCPv4_SERVER link local (bound): [AF_INET][undef]:443
Apr 30 23:53:05 ovpn-server1[2227]: TCPv4_SERVER link remote: [AF_UNSPEC]
Apr 30 23:53:05 ovpn-server1[2227]: MULTI: multi_init called, r=256 v=256
Apr 30 23:53:05 ovpn-server1[2227]: MULTI: TCP INIT maxclients=1024 maxevents=1028
Apr 30 23:53:05 ovpn-server1[2227]: Initialization Sequence Completed

So you see in my case it is tap21.
 

cfm56

Occasional Visitor
ok, so... even after setting TAP22:

The following is not working, still seeing DHCP signal from both sides


NOT WORKING:
ebtables -I INPUT -i tap22 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
ebtables -I OUTPUT -o tap22 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &

Going to have a look at this other link as they have a different method. I'm putting this currently in my nat-start file.
 

cfm56

Occasional Visitor
@DocUmibozu you can really call it anything I think...as long as it's an executable script within your scripts directory. Mine is inside of my nat-start scripts
 

cfm56

Occasional Visitor
OK this worked:

Thanks @Odkrys for the ultimate solution, and netware5 for your responsiveness!

#!/bin/sh
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

seems the tap number didn't really matter with the above code.

@DocUmibozu let me know if you need help, I'll try to help
 

Attachments

  • dhcp solved.JPG
    dhcp solved.JPG
    21.4 KB · Views: 51
  • dhcp passing dhcp.JPG
    dhcp passing dhcp.JPG
    93.1 KB · Views: 45

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top