What's new

OpenVPN, firewall-start & DNS woes

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

mrDavid

New Around Here
hi all,
I'm trying to implement the scripts in How-to-Direct-Traffic-over-VPN-and-Drop-connections-if-VPN-goes-down. RT-AC87u + Merlin 378.55_0 + Express VPN

openvpn-event is working fine. The client included is routed through the VPN successfully. Other clients are not (yay)

firewall-start causes DNS forwarding to stop working on *all* machines. As best I can tell other traffic is unaffected - i can ping external IPs and cached names and even use FTP.

So.
NSlookups to 8.8.8.8 work fine on all clients
NSlookups to my router resolves internal names but time-out on external names
Results are consistent if I configure DHCP/static DNS on the clients
Including both 8.8.8.8 and the router as client DNS have the same results depending on which server is first in the listed

help.. :)

Code:
admin@router:/jffs/scripts# cat openvpn-event
#!/bin/sh
touch /jffs/scripts/openvpn-event-has-run
sleep 2

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
| while read ROUTE ; do
  ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.72 -j MARK --set-mark 0
exit 1

Code:
admin@router:/jffs/scripts# cat firewall-start
#!/bin/sh
touch /jffs/scripts/firewall-start-has-run

sleep 4

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD ! -o tun11 -s 192.168.0.72 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

chmod a+rx /jffs/scripts/firewall-start
(that last line looks like it was included in the template by mistake...but keeping it verbose until it works!)

Code:
admin@router:/jffs/scripts# ls -l
-rwxrwxrwx    1 admin  root           344 Aug 29 22:13 firewall-start-disabled
-rw-rw-rw-    1 admin  root             0 Aug 29 23:59 firewall-start-has-run
-rwxrwxrwx    1 admin  root            57 Aug 28 12:24 init-start
-rwxrwxrwx    1 admin  root           768 Aug 28 15:28 openvpn-event
-rw-rw-rw-    1 admin  root             0 Aug 30 00:08 openvpn-event-has-run
 
No need for any script. Enable Policy-based routing, add a rule for your entire subnet through the VPN tunnel, add another rule for the router's IP to go through the WAN, and enable "Block routed clients if tunnel goes down".

Anything based on packet marking will interfere with the TrendMicro DPI engine and QoS.
 
@RMerlin what did you mean by packet marking interferes with Trendmicro DPI?

If you use any feature based on the Trend Micro DPI engine, your firewall rules might end up being removed as the engine reconfigures iptables. Marks can also be modified by the QoS subsystem, which also uses packet marking to classify traffic.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top