What's new

Need to Block DHCP from traveling across site-to-site TAP VPN Tunnel.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cfm56

Occasional Visitor
All,

I had this working at some time in the past where I had put in some commands into DD-WRT routers to block DHCP from traveling across our VPN tunnel (Open VPN\TAP).

Yes I realize that TAP is unpopular, and thus the reason I can't find this info. We basically need to function as 1 network across the tunnel... but I can't find how to block DHCP on the Asus Merlin firmware. Does anyone have that figured out?
 
All,

I had this working at some time in the past where I had put in some commands into DD-WRT routers to block DHCP from traveling across our VPN tunnel (Open VPN\TAP).

Yes I realize that TAP is unpopular, and thus the reason I can't find this info. We basically need to function as 1 network across the tunnel... but I can't find how to block DHCP on the Asus Merlin firmware. Does anyone have that figured out?


It used to be something like this in IPtables

ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &

I'm just unsure of if it's tap0 or not.
 
All,

I had this working at some time in the past where I had put in some commands into DD-WRT routers to block DHCP from traveling across our VPN tunnel (Open VPN\TAP).

Yes I realize that TAP is unpopular, and thus the reason I can't find this info. We basically need to function as 1 network across the tunnel... but I can't find how to block DHCP on the Asus Merlin firmware. Does anyone have that figured out?

I am using TAP since 2013. What exactly you want to do?
 
thanks netware...
Basically trying to keep DHCP from transversing the TAP OpenVPN tunnel to the other side. Both offices have their own DHCP server and I'm trying to block it from entering the tunnel. Thought I had this working at one point on DDWRT, but can't remember if I ever found a solution on Asus-Merlin. BTW, I do have the JFFS partition and am running some iptables scripts on there to support multiple IP's. Hope that helps... thanks for answering.
 
thanks netware...
Basically trying to keep DHCP from transversing the TAP OpenVPN tunnel to the other side. Both offices have their own DHCP server and I'm trying to block it from entering the tunnel. Thought I had this working at one point on DDWRT, but can't remember if I ever found a solution on Asus-Merlin. BTW, I do have the JFFS partition and am running some iptables scripts on there to support multiple IP's. Hope that helps... thanks for answering.

I think in your iptables command you should not use "tap0", try to use "tap21".
 
I think in your iptables command you should not use "tap0", try to use "tap21".
trying:

#Drop DHCP across VPN

ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
 
looks like that didn't work..still getting DHCP ACK responses from both DHCP servers... should I try TAP0? (See attached)
 

Attachments

  • dhcp.JPG
    dhcp.JPG
    21.6 KB · Views: 180
Look at syslog for entries logging OpenVPN start. On my router I see the following:
Code:
Apr 30 23:53:05 rc_service: service 2147:notify_rc restart_vpnserver1
Apr 30 23:53:05 custom_script: Running /jffs/scripts/service-event (args: restart vpnserver1)
Apr 30 23:53:05 ovpn-server1[2060]: Closing TUN/TAP interface
Apr 30 23:53:05 ovpn-server1[2060]: updown.sh tap21 1500 1655   init
Apr 30 23:53:05 ovpn-server1[2060]: SIGTERM[hard,] received, process exiting
Apr 30 23:53:05 ovpn-server1[2226]: OpenVPN 2.4.9 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 26 2020
Apr 30 23:53:05 ovpn-server1[2226]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.08
Apr 30 23:53:05 ovpn-server1[2227]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Apr 30 23:53:05 ovpn-server1[2227]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 30 23:53:05 ovpn-server1[2227]: Diffie-Hellman initialized with 4096 bit key
Apr 30 23:53:05 ovpn-server1[2227]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Apr 30 23:53:05 ovpn-server1[2227]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 30 23:53:05 ovpn-server1[2227]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Apr 30 23:53:05 ovpn-server1[2227]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 30 23:53:05 ovpn-server1[2227]: TUN/TAP device tap21 opened
Apr 30 23:53:05 ovpn-server1[2227]: TUN/TAP TX queue length set to 1000
Apr 30 23:53:05 ovpn-server1[2227]: updown.sh tap21 1500 1655   init
Apr 30 23:53:05 ovpn-server1[2227]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Apr 30 23:53:05 ovpn-server1[2227]: Socket Buffers: R=[87380->524288] S=[16384->524288]
Apr 30 23:53:05 ovpn-server1[2227]: Listening for incoming TCP connection on [AF_INET][undef]:443
Apr 30 23:53:05 ovpn-server1[2227]: TCPv4_SERVER link local (bound): [AF_INET][undef]:443
Apr 30 23:53:05 ovpn-server1[2227]: TCPv4_SERVER link remote: [AF_UNSPEC]
Apr 30 23:53:05 ovpn-server1[2227]: MULTI: multi_init called, r=256 v=256
Apr 30 23:53:05 ovpn-server1[2227]: MULTI: TCP INIT maxclients=1024 maxevents=1028
Apr 30 23:53:05 ovpn-server1[2227]: Initialization Sequence Completed

So you see in my case it is tap21.
 
ok, so... even after setting TAP22:

The following is not working, still seeing DHCP signal from both sides


NOT WORKING:
ebtables -I INPUT -i tap22 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
ebtables -I OUTPUT -o tap22 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &

Going to have a look at this other link as they have a different method. I'm putting this currently in my nat-start file.
 
@DocUmibozu you can really call it anything I think...as long as it's an executable script within your scripts directory. Mine is inside of my nat-start scripts
 
OK this worked:

Thanks @Odkrys for the ultimate solution, and netware5 for your responsiveness!

#!/bin/sh
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

seems the tap number didn't really matter with the above code.

@DocUmibozu let me know if you need help, I'll try to help
 

Attachments

  • dhcp solved.JPG
    dhcp solved.JPG
    21.4 KB · Views: 176
  • dhcp passing dhcp.JPG
    dhcp passing dhcp.JPG
    93.1 KB · Views: 237
OK this worked:

Thanks @Odkrys for the ultimate solution, and netware5 for your responsiveness!

#!/bin/sh
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

seems the tap number didn't really matter with the above code.

@DocUmibozu let me know if you need help, I'll try to help

I have two ASUS routers running Merlin with a TAP VPN tunnel. Where do I place these commands to block DHCP?
Clearly I am a rookie!

Thanks,

Peter
 
Well,
I created a file called nat-start under /jffs/scripts.
However every time my openvpn restarted the setting was lost.
So I added the line "sh /jffs/scripts/nat-start" in /jffs/scripts/firewall.
This file seems to be executed every time openvpn restarts, so the dhcp lock is always in use.
 
Thanks, but I was hoping that I simply had to add a line to the "Custom Configuration" section of the VPN Client. I am using Merlin software for its richer VPN functionality, but I have only configured through the GUI. I don't even know where to begin to find the script area let alone add/edit. I cannot seem to find it on my ASUS router. I am running 384.14_2 code
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top