Skynet Skynet - Router Firewall & Security Enhancements

[Jan Adelsson]

Give the latest version a crack, let me know if it makes any difference. You will need to re-run the installer to get the implemented changes. Will continue working on a better solution this week.

Up and running, so far so good! Will be reporting any possible issues. Tanks again for your efforts.

 

[RMerlin]

I think I remember there is an nvram setting that contains an OpenVPN client's local IP, can't remember it off hand tho. Check the code in the ajax_openvpn_something.asp file ( can't check at the moment).

 

[Adamm]

I think I remember there is an nvram setting that contains an OpenVPN client's local IP, can't remember it off hand tho. Check the code in the ajax_openvpn_something.asp file ( can't check at the moment).

Yeah I found most of the relevant values, I think the issue in the case about was that the IP changed and because I'm only updating it on the firewall restart event I didn't catch it. I white-list the following;

        ipset -q -A Whitelist "$(nvram get vpn_server1_sn)"/24 comment "nvram: vpn_server1_sn"
        ipset -q -A Whitelist "$(nvram get vpn_server2_sn)"/24 comment "nvram: vpn_server2_sn"
        ipset -q -A Whitelist "$(nvram get vpn_server_sn)"/24 comment "nvram: vpn_server_sn"
        ipset -q -A Whitelist "$(nvram get vpn_client1_addr)"/24 comment "nvram: vpn_client1_addr"
        ipset -q -A Whitelist "$(nvram get vpn_client2_addr)"/24 comment "nvram: vpn_client2_addr"
        ipset -q -A Whitelist "$(nvram get vpn_client3_addr)"/24 comment "nvram: vpn_client3_addr"
        ipset -q -A Whitelist "$(nvram get vpn_client4_addr)"/24 comment "nvram: vpn_client4_addr"
        ipset -q -A Whitelist "$(nvram get vpn_client5_addr)"/24 comment "nvram: vpn_client5_addr"

 

[john9527]

I think I remember there is an nvram setting that contains an OpenVPN client's local IP, can't remember it off hand tho. Check the code in the ajax_openvpn_something.asp file ( can't check at the moment).

I may be mistaken, but IIRC you only called that ajax asp when visiting the VPN Status page. It may need to be moved if it's going to be generally available.

 

[RMerlin]

I may be mistaken, but IIRC you only called that ajax asp when visiting the VPN Status page. It may need to be moved if it's going to be generally available.

It's also used on the OpenVPN Client page to determine the connection status (and now I also report both remote and public tunnel IPs on that page).

It only polls nvram values tho, I'm not sure I understand what you mean by moving it.

 

[john9527]

It's also used on the OpenVPN Client page to determine the connection status (and now I also report both remote and public tunnel IPs on that page).

It only polls nvram values tho, I'm not sure I understand what you mean by moving it.

Working from memory, so may be wrong...but I remember thinking the nvram wouldn't be set unless you actually opened the status page where you report the ip's.

 

[RMerlin]

Working from memory, so may be wrong...but I remember thinking the nvram wouldn't be set unless you actually opened the status page where you report the ip's.

Nah, ajax pages only do a bunch of nvram_get() calls to refresh the local JS variables, they don't affect stored values.

 

[Jan Adelsson]

Up and running, so far so good! Will be reporting any possible issues. Tanks again for your efforts.

Still no problem here!

 

[Jan Adelsson]

Still no problem here!

After every restart it connects after me choosing disconnect and reconnect the vpn.


I must say that i am not using the openvpn client from merlins firmware as you my think. I am using the PIA app on my iMac (High Sierra).

 

[Adamm]

I must say that i am not using the openvpn client from merlins firmware as you my think. I am using the PIA app on my iMac (High Sierra).

Well that makes a lot more sense, Skynet has no way to get this information. The two choices you have here are;

1. Whitelist the IP Ranges you commonly connect to if you are having frequent issues of VPN servers getting blocked.
2. Disable autobanning in Skynet

 

[Jan Adelsson]

Well that makes a lot more sense, Skynet has no way to get this information. The two choices you have here are;

1. Whitelist the IP Ranges you commonly connect to if you are having frequent issues of VPN servers getting blocked.
2. Disable autobanning in Skynet

How come this last update made it a lot better then??? I am just asking, dont mean to be rude!

 

[Adamm]

How come this last update made it a lot better then??? I am just asking, dont mean to be rude!

I would say partially a placebo effect. Also I personally don't have any issues using my VPN providers windows client so it may have just been a 1 off blocking incident.

 

[Jan Adelsson]

I would say partially a placebo effect. Also I personally don't have any issues using my VPN providers windows client so it may have just been a 1 off blocking incident.

Ok, thanks for your help anyways. Keep the good work going.

 

[Jan Adelsson]

Is it possible to exclude a client from the firewall?

 

[Butterfly Bones]

I got a VPN failure after a TLS handshake timeout, that I get once a week or so, and then a complete VPN restart with a new server. All went well, with this in the log. This seems to show that the Skynet whitelist VPN IP is working. Running
sh /jffs/scripts/firewall whitelist list
show it updated.

Oct 13 22:33:03 openvpn-routing: Configuring policy rules for client 1
Oct 13 22:33:04 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Oct 13 22:33:04 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1558 xxx.21.56.235 )
Oct 13 22:33:04 Samba_Server: daemon is started
Oct 13 22:33:05 Skynet: [INFO] Updating VPN Whitelist...
Oct 13 22:33:05 openvpn[1555]: Initialization Sequence Completed

 

[Adamm]

Is it possible to exclude a client from the firewall?

Possible? Probably. But not in its current state. I'll keep it in mind for the future as it would require some significant design changes.

I got a VPN failure after a TLS handshake timeout, that I get once a week or so, and then a complete VPN restart with a new server. All went well, with this in the log. This seems to show that the Skynet whitelist VPN IP is working. Running
sh /jffs/scripts/firewall whitelist list
show it updated.

Oct 13 22:33:03 openvpn-routing: Configuring policy rules for client 1
Oct 13 22:33:04 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Oct 13 22:33:04 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1558 xxx.21.56.235 )
Oct 13 22:33:04 Samba_Server: daemon is started
Oct 13 22:33:05 Skynet: [INFO] Updating VPN Whitelist...
Oct 13 22:33:05 openvpn[1555]: Initialization Sequence Completed

Great to hear.

 

[SeaConn]

So back to my previous post...probably some changes required...

I know it's probably low on the priority list for 382.1, but I was just curious as to the nature of the situation with IPSec and Skynet on the RT-AC86U and the following installation error? Forgive my ignorance... just curious. No need to respond if it requires a lengthy time-consuming response, either. I'm happy to wait

Skynet: [ERROR] IPSet Extensions Not Enabled - Please Update To 380.68 / V26E3 Or Newer Firmware

 

[Adamm]

I know it's probably low on the priority list for 382.1, but I was just curious as to the nature of the situation with IPSec and Skynet on the RT-AC86U and the following installation error? Forgive my ignorance... just curious. No need to respond if it requires a lengthy time-consuming response, either. I'm happy to wait

Skynet: [ERROR] IPSet Extensions Not Enabled - Please Update To 380.68 / V26E3 Or Newer Firmware

Trying very hard on my end to get in contact with Asus's marketing department about device availability, but unfortunately I can't find a reliable contact channel they actually respond too.

Beyond that there is another issue with the actual IPSet implementation from my understanding, that will be up to @john9527 and @RMerlin to eventually fix, but as this firmware is still in a very early Beta and they have a lot on their plate all we can do is patiently wait.

 

[heysoundude]

@Adamm would you please help me?
RT-n66u with AsusMerlin v380.68_4 and ab-solution 3.9.1 with pixelserv-tls v3.9.2
I ran the script at the top of this thread. I ran the script to update, and currently have Skynet v5.(whatever came out yesterday, 2017-10-15).

SkyNet seems to run, but I get an error that tells me that my version of IPSet isn't supported. My linux-fu isn't strong, yet I've scrolled through 15 or so pages of this thread and people say they have or have had this running on the n66u. what am I missing? what must I do?

 

[Adamm]

SkyNet seems to run, but I get an error that tells me that my version of IPSet isn't supported. My linux-fu isn't strong, yet I've scrolled through 15 or so pages of this thread and people say they have or have had this running on the n66u. what am I missing? what must I do?

Unfortunately Skynet doesn't and can't support the N66U and other MIPS routers due to their ancient Kernel and IPSet version. Sorry!