Restricting access to OpenVPN server via iptables


New Around Here
Hi! I’m allowing access to my OpenVPN server only for predefined ipset via rewriting existing iptables rules using openvpn-event user script.

What I’m currently doing: in openvpn-event I’m rewriting standard openvpn rule like:

if iptables -C INPUT -p $proto -m $proto --dport $server_port -j ACCEPT; then
    iptables -D INPUT -p $proto -m $proto --dport $server_port -j ACCEPT
    iptables -I INPUT -p $proto -m set --match-set allow_ip src --dport $server_port -j ACCEPT
    logger -t "$scr_name" "Completed"
    # TBD...
    logger -t "$scr_name" "Failure: iptables rule not found to replace in the INPUT chain!"

The same way I rewrite NAT rules. This works fine and is persistent between router reboots until I change something via GUI which causes iptables reload and my rule “iptables -I INPUT -p $proto -m set --match-set allow_ip src --dport $server_port -j ACCEPT” is rewritten back by original rule “iptables -C INPUT -p $proto -m $proto --dport $server_port -j ACCEPT” set by /etc/openvpnX/server/

What is the proper way to rewrite standard openvpn server rules set by to make changes persistent between configuration changes which affects iptables?

And where /etc/openvpnX/server/ can be called during the changes within GUI which affects iptables?

386.4, RT-AC88U


Asuswrt-Merlin dev
The openvpn-event script is the correct location. Look at the specific event type however before determining what to do (through the $script_type variable value).

And where /etc/openvpnX/server/ can be called during the changes within GUI which affects iptables?
The script should be called whenever the firewall gets restarted.


New Around Here
Many thanks @RMerlin, I added rewriting of default rules in my openvpn-event script, and now my custom iptables rules are persistent between firewall restarts too.

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!