Skynet When connecting to my openvpn server on router, no outbound blocks being logged anymore

[belleDESiRE]

I have my own openvpn server running on the router including diversion and skynet.
When connecting to vpn with my devices, traffic is being tunneled (tun/udp), outside ip of vpnclient is my router, dns is being resolved by router and I can access my router's admin page through the tunnel. So tunnel is being used.

Now the issue, I have skynet installed with country blocking enabled (China / Russia for instance). If a device is connected to the router directly (no vpn) I see outbound blocks and also blocks related to these countries being logged.
When connected via openvpn, I see no outbound blocking being logged for these devices at all anymore.

Am I missing something, is the openvpn server bypassing the local firewall expected behavior?

 

[SomeWhereOverTheRainBow]

I have my own openvpn server running on the router including diversion and skynet.
When connecting to vpn with my devices, traffic is being tunneled (tun/udp), outside ip of vpnclient is my router, dns is being resolved by router and I can access my router's admin page through the tunnel. So tunnel is being used.

Now the issue, I have skynet installed with country blocking enabled (China / Russia for instance). If a device is connected to the router directly (no vpn) I see outbound blocks and also blocks related to these countries being logged.
When connected via openvpn, I see no outbound blocking being logged for these devices at all anymore.

Am I missing something, is the openvpn server bypassing the local firewall expected behavior?

what is the output of iptables-save from SSH command line?

 

[belleDESiRE]

sure, redacted some away

# Generated by iptables-save v1.4.15 on Fri Sep 22 18:04:53 2023
*raw
:PREROUTING ACCEPT [4313:2891483]
:OUTPUT ACCEPT [3641:3731978]
-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --ls
-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j DROP
-A PREROUTING -i eth0 -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j LOG --log-prefix "[BLOCKED - INBOUND] " --ls
-A PREROUTING -i eth0 -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j DROP
-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --log-tcp-sequs
-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j DROP
COMMIT
# Completed on Fri Sep 22 18:04:53 2023
# Generated by iptables-save v1.4.15 on Fri Sep 22 18:04:53 2023
*nat
:PREROUTING ACCEPT [52:9871]
:INPUT ACCEPT [30:1635]
:OUTPUT ACCEPT [305:21584]
:POSTROUTING ACCEPT [305:21584]
:DNSFILTER - [0:0]
:GAME_VSERVER - [0:0]
:LOCALSRV - [0:0]
:MAPE - [0:0]
:PCREDIRECT - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -p udp -m udp --dport XXXXX -j ACCEPT
-A PREROUTING -d aaa.aaa.aaa.aaa/32 -j GAME_VSERVER
-A PREROUTING -d aaa.aaa.aaa.aaa/32 -j VSERVER
-A PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING ! -s aaa.aaa.aaa.aaa/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s xxx.xxx.xxx.0/24 -d xxx.xxx.xxx.0/24 -o br0 -j MASQUERADE
-A DNSFILTER -j DNAT --to-destination xxx.xxx.xxx.1
-A VSERVER -p tcp -m tcp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p tcp -m tcp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -j VUPNP
COMMIT
# Completed on Fri Sep 22 18:04:53 2023
# Generated by iptables-save v1.4.15 on Fri Sep 22 18:04:53 2023
*mangle
:PREROUTING ACCEPT [6028:3141865]
:INPUT ACCEPT [3434:573303]
:FORWARD ACCEPT [2588:2566546]
:OUTPUT ACCEPT [6636:6336247]
:POSTROUTING ACCEPT [9224:8902793]
COMMIT
# Completed on Fri Sep 22 18:04:53 2023
# Generated by iptables-save v1.4.15 on Fri Sep 22 18:04:53 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3666:3737524]
:ACCESS_RESTRICTION - [0:0]
:DNSFILTER_DOT - [0:0]
:FUPNP - [0:0]
:IControls - [0:0]
:INPUT_ICMP - [0:0]
:INPUT_PING - [0:0]
:IPSEC_DROP_SUBNET_ICMP - [0:0]
:IPSEC_STRONGSWAN - [0:0]
:OUTPUT_DNS - [0:0]
:OUTPUT_IP - [0:0]
:OVPNCF - [0:0]
:OVPNCI - [0:0]
:OVPNSF - [0:0]
:OVPNSI - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:VPNCF - [0:0]
:VPNCI - [0:0]
:WGCF - [0:0]
:WGCI - [0:0]
:WGNPControls - [0:0]
:WGSF - [0:0]
:WGSI - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logdrop_dns - [0:0]
:logdrop_ip - [0:0]
-A INPUT -p udp -m udp --dport 53 -m string --hex-string ... --algo bm --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp --icmp-type 8 -j INPUT_PING
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT ! -i lo -p tcp -m tcp --dport 5152 -j logdrop
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -p gre -j ACCEPT
-A INPUT -i br1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i br1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br1 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -i br1 -j DROP
-A INPUT -i br2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -i br2 -j DROP
-A INPUT -j WGSI
-A INPUT -j WGCI
-A INPUT -j OVPNSI
-A INPUT -j OVPNCI
-A INPUT -j logdrop
-A FORWARD -j IPSEC_DROP_SUBNET_ICMP
-A FORWARD -j IPSEC_STRONGSWAN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j WGSF
-A FORWARD -j OVPNSF
-A FORWARD -i br1 -j WGNPControls
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD -i br2 -j WGNPControls
-A FORWARD -i br2 -o eth0 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o eth0 -p tcp -m tcp --dport 853 -j logdrop
-A FORWARD -i br0 -o eth0 -p udp -m udp --dport 853 -j logdrop
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
-A FORWARD -j WGCF
-A FORWARD -j OVPNCF
-A FORWARD -j VPNCF
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -j logdrop
-A OUTPUT -p udp -m udp --dport 53 -m u32 --u32 ... -j OUTPUT_DNS
-A OUTPUT -p tcp -m tcp --dport 53 -m u32 --u32 ... -j OUTPUT_DNS
-A OUTPUT -j OUTPUT_IP
-A DNSFILTER_DOT ! -d xxx.xxx.xxx.1/32 -j REJECT --reject-with icmp-port-unreachable
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A INPUT_PING -i eth0 -p icmp -j logdrop
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_IP -d 193.xxx.xxx.0/24 -j logdrop_ip
-A OUTPUT_IP -d 51.xxx.xxx.xxx/32 -j logdrop_ip
-A OUTPUT_IP -d 45.xxx.xxx.xxx/32 -j logdrop_ip
-A OUTPUT_IP -d 190.xxx.xxx.xxx/32 -j logdrop_ip
-A OUTPUT_IP -d 51.xxx.xxx.xxx/32 -j logdrop_ip
-A OUTPUT_IP -d 190.xxx.xxx.xxx/32 -j logdrop_ip
-A OVPNSF -o tun21 -j ACCEPT
-A OVPNSF -i tun21 -j ACCEPT
-A OVPNSI -i tun21 -j ACCEPT
-A OVPNSI -p udp -m udp --dport XXXXX -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A logdrop_dns -j LOG --log-prefix "DROP_DNS " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop_dns -j DROP
-A logdrop_ip -j LOG --log-prefix "DROP_IP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop_ip -j DROP
COMMIT

 

[SomeWhereOverTheRainBow]

sure, redacted some away

# Generated by iptables-save v1.4.15 on Fri Sep 22 18:04:53 2023
*raw
:PREROUTING ACCEPT [4313:2891483]
:OUTPUT ACCEPT [3641:3731978]
-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --ls
-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j DROP
-A PREROUTING -i eth0 -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j LOG --log-prefix "[BLOCKED - INBOUND] " --ls
-A PREROUTING -i eth0 -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j DROP
-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --log-tcp-sequs
-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j DROP
COMMIT
# Completed on Fri Sep 22 18:04:53 2023
# Generated by iptables-save v1.4.15 on Fri Sep 22 18:04:53 2023
*nat
:PREROUTING ACCEPT [52:9871]
:INPUT ACCEPT [30:1635]
:OUTPUT ACCEPT [305:21584]
:POSTROUTING ACCEPT [305:21584]
:DNSFILTER - [0:0]
:GAME_VSERVER - [0:0]
:LOCALSRV - [0:0]
:MAPE - [0:0]
:PCREDIRECT - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -p udp -m udp --dport XXXXX -j ACCEPT
-A PREROUTING -d aaa.aaa.aaa.aaa/32 -j GAME_VSERVER
-A PREROUTING -d aaa.aaa.aaa.aaa/32 -j VSERVER
-A PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING ! -s aaa.aaa.aaa.aaa/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s xxx.xxx.xxx.0/24 -d xxx.xxx.xxx.0/24 -o br0 -j MASQUERADE
-A DNSFILTER -j DNAT --to-destination xxx.xxx.xxx.1
-A VSERVER -p tcp -m tcp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p tcp -m tcp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -j VUPNP
COMMIT
# Completed on Fri Sep 22 18:04:53 2023
# Generated by iptables-save v1.4.15 on Fri Sep 22 18:04:53 2023
*mangle
:PREROUTING ACCEPT [6028:3141865]
:INPUT ACCEPT [3434:573303]
:FORWARD ACCEPT [2588:2566546]
:OUTPUT ACCEPT [6636:6336247]
:POSTROUTING ACCEPT [9224:8902793]
COMMIT
# Completed on Fri Sep 22 18:04:53 2023
# Generated by iptables-save v1.4.15 on Fri Sep 22 18:04:53 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3666:3737524]
:ACCESS_RESTRICTION - [0:0]
:DNSFILTER_DOT - [0:0]
:FUPNP - [0:0]
:IControls - [0:0]
:INPUT_ICMP - [0:0]
:INPUT_PING - [0:0]
:IPSEC_DROP_SUBNET_ICMP - [0:0]
:IPSEC_STRONGSWAN - [0:0]
:OUTPUT_DNS - [0:0]
:OUTPUT_IP - [0:0]
:OVPNCF - [0:0]
:OVPNCI - [0:0]
:OVPNSF - [0:0]
:OVPNSI - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:VPNCF - [0:0]
:VPNCI - [0:0]
:WGCF - [0:0]
:WGCI - [0:0]
:WGNPControls - [0:0]
:WGSF - [0:0]
:WGSI - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logdrop_dns - [0:0]
:logdrop_ip - [0:0]
-A INPUT -p udp -m udp --dport 53 -m string --hex-string ... --algo bm --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp --icmp-type 8 -j INPUT_PING
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT ! -i lo -p tcp -m tcp --dport 5152 -j logdrop
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -p gre -j ACCEPT
-A INPUT -i br1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i br1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br1 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -i br1 -j DROP
-A INPUT -i br2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -i br2 -j DROP
-A INPUT -j WGSI
-A INPUT -j WGCI
-A INPUT -j OVPNSI
-A INPUT -j OVPNCI
-A INPUT -j logdrop
-A FORWARD -j IPSEC_DROP_SUBNET_ICMP
-A FORWARD -j IPSEC_STRONGSWAN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j WGSF
-A FORWARD -j OVPNSF
-A FORWARD -i br1 -j WGNPControls
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD -i br2 -j WGNPControls
-A FORWARD -i br2 -o eth0 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o eth0 -p tcp -m tcp --dport 853 -j logdrop
-A FORWARD -i br0 -o eth0 -p udp -m udp --dport 853 -j logdrop
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
-A FORWARD -j WGCF
-A FORWARD -j OVPNCF
-A FORWARD -j VPNCF
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -j logdrop
-A OUTPUT -p udp -m udp --dport 53 -m u32 --u32 ... -j OUTPUT_DNS
-A OUTPUT -p tcp -m tcp --dport 53 -m u32 --u32 ... -j OUTPUT_DNS
-A OUTPUT -j OUTPUT_IP
-A DNSFILTER_DOT ! -d xxx.xxx.xxx.1/32 -j REJECT --reject-with icmp-port-unreachable
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A INPUT_PING -i eth0 -p icmp -j logdrop
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_IP -d 193.xxx.xxx.0/24 -j logdrop_ip
-A OUTPUT_IP -d 51.xxx.xxx.xxx/32 -j logdrop_ip
-A OUTPUT_IP -d 45.xxx.xxx.xxx/32 -j logdrop_ip
-A OUTPUT_IP -d 190.xxx.xxx.xxx/32 -j logdrop_ip
-A OUTPUT_IP -d 51.xxx.xxx.xxx/32 -j logdrop_ip
-A OUTPUT_IP -d 190.xxx.xxx.xxx/32 -j logdrop_ip
-A OVPNSF -o tun21 -j ACCEPT
-A OVPNSF -i tun21 -j ACCEPT
-A OVPNSI -i tun21 -j ACCEPT
-A OVPNSI -p udp -m udp --dport XXXXX -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A logdrop_dns -j LOG --log-prefix "DROP_DNS " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop_dns -j DROP
-A logdrop_ip -j LOG --log-prefix "DROP_IP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop_ip -j DROP
COMMIT

I was hoping I would see something that would indicate why, but no luck. Maybe someone else who uses a VPN might have some advice. @Viktor Jaep do you maybe know whats going on here?

 

[SomeWhereOverTheRainBow]

sure, redacted some away

# Generated by iptables-save v1.4.15 on Fri Sep 22 18:04:53 2023
*raw
:PREROUTING ACCEPT [4313:2891483]
:OUTPUT ACCEPT [3641:3731978]
-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --ls
-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j DROP
-A PREROUTING -i eth0 -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j LOG --log-prefix "[BLOCKED - INBOUND] " --ls
-A PREROUTING -i eth0 -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j DROP
-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --log-tcp-sequs
-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j DROP
COMMIT
# Completed on Fri Sep 22 18:04:53 2023
# Generated by iptables-save v1.4.15 on Fri Sep 22 18:04:53 2023
*nat
:PREROUTING ACCEPT [52:9871]
:INPUT ACCEPT [30:1635]
:OUTPUT ACCEPT [305:21584]
:POSTROUTING ACCEPT [305:21584]
:DNSFILTER - [0:0]
:GAME_VSERVER - [0:0]
:LOCALSRV - [0:0]
:MAPE - [0:0]
:PCREDIRECT - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -p udp -m udp --dport XXXXX -j ACCEPT
-A PREROUTING -d aaa.aaa.aaa.aaa/32 -j GAME_VSERVER
-A PREROUTING -d aaa.aaa.aaa.aaa/32 -j VSERVER
-A PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING ! -s aaa.aaa.aaa.aaa/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s xxx.xxx.xxx.0/24 -d xxx.xxx.xxx.0/24 -o br0 -j MASQUERADE
-A DNSFILTER -j DNAT --to-destination xxx.xxx.xxx.1
-A VSERVER -p tcp -m tcp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p udp -m udp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -p tcp -m tcp --dport ___ -j DNAT --to-destination xxx.xxx.xxx.34
-A VSERVER -j VUPNP
COMMIT
# Completed on Fri Sep 22 18:04:53 2023
# Generated by iptables-save v1.4.15 on Fri Sep 22 18:04:53 2023
*mangle
:PREROUTING ACCEPT [6028:3141865]
:INPUT ACCEPT [3434:573303]
:FORWARD ACCEPT [2588:2566546]
:OUTPUT ACCEPT [6636:6336247]
:POSTROUTING ACCEPT [9224:8902793]
COMMIT
# Completed on Fri Sep 22 18:04:53 2023
# Generated by iptables-save v1.4.15 on Fri Sep 22 18:04:53 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3666:3737524]
:ACCESS_RESTRICTION - [0:0]
:DNSFILTER_DOT - [0:0]
:FUPNP - [0:0]
:IControls - [0:0]
:INPUT_ICMP - [0:0]
:INPUT_PING - [0:0]
:IPSEC_DROP_SUBNET_ICMP - [0:0]
:IPSEC_STRONGSWAN - [0:0]
:OUTPUT_DNS - [0:0]
:OUTPUT_IP - [0:0]
:OVPNCF - [0:0]
:OVPNCI - [0:0]
:OVPNSF - [0:0]
:OVPNSI - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:VPNCF - [0:0]
:VPNCI - [0:0]
:WGCF - [0:0]
:WGCI - [0:0]
:WGNPControls - [0:0]
:WGSF - [0:0]
:WGSI - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logdrop_dns - [0:0]
:logdrop_ip - [0:0]
-A INPUT -p udp -m udp --dport 53 -m string --hex-string ... --algo bm --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp --icmp-type 8 -j INPUT_PING
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT ! -i lo -p tcp -m tcp --dport 5152 -j logdrop
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -p gre -j ACCEPT
-A INPUT -i br1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i br1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br1 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -i br1 -j DROP
-A INPUT -i br2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -i br2 -j DROP
-A INPUT -j WGSI
-A INPUT -j WGCI
-A INPUT -j OVPNSI
-A INPUT -j OVPNCI
-A INPUT -j logdrop
-A FORWARD -j IPSEC_DROP_SUBNET_ICMP
-A FORWARD -j IPSEC_STRONGSWAN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j WGSF
-A FORWARD -j OVPNSF
-A FORWARD -i br1 -j WGNPControls
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD -i br2 -j WGNPControls
-A FORWARD -i br2 -o eth0 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o eth0 -p tcp -m tcp --dport 853 -j logdrop
-A FORWARD -i br0 -o eth0 -p udp -m udp --dport 853 -j logdrop
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
-A FORWARD -j WGCF
-A FORWARD -j OVPNCF
-A FORWARD -j VPNCF
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -j logdrop
-A OUTPUT -p udp -m udp --dport 53 -m u32 --u32 ... -j OUTPUT_DNS
-A OUTPUT -p tcp -m tcp --dport 53 -m u32 --u32 ... -j OUTPUT_DNS
-A OUTPUT -j OUTPUT_IP
-A DNSFILTER_DOT ! -d xxx.xxx.xxx.1/32 -j REJECT --reject-with icmp-port-unreachable
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A INPUT_PING -i eth0 -p icmp -j logdrop
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string ... --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_IP -d 193.xxx.xxx.0/24 -j logdrop_ip
-A OUTPUT_IP -d 51.xxx.xxx.xxx/32 -j logdrop_ip
-A OUTPUT_IP -d 45.xxx.xxx.xxx/32 -j logdrop_ip
-A OUTPUT_IP -d 190.xxx.xxx.xxx/32 -j logdrop_ip
-A OUTPUT_IP -d 51.xxx.xxx.xxx/32 -j logdrop_ip
-A OUTPUT_IP -d 190.xxx.xxx.xxx/32 -j logdrop_ip
-A OVPNSF -o tun21 -j ACCEPT
-A OVPNSF -i tun21 -j ACCEPT
-A OVPNSI -i tun21 -j ACCEPT
-A OVPNSI -p udp -m udp --dport XXXXX -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A logdrop_dns -j LOG --log-prefix "DROP_DNS " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop_dns -j DROP
-A logdrop_ip -j LOG --log-prefix "DROP_IP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop_ip -j DROP
COMMIT

Whats the output of ipset list | grep nvram? Does your vpn IP show up here? I suspect the VPN by passes skynet. Idk if this is the intended behavior.

 

[ColinTaylor]

sure, redacted some away

There is no matching Skynet rule when connecting through the router's VPN server.

 

[SomeWhereOverTheRainBow]

There is no matching Skynet rule when connecting through the router's VPN server.

I was thinking we would see some skynet rules up in the forward rules of the filter section if skynet was also filtering the VPN traffic.

 

[belleDESiRE]

Whats the output of ipset list | grep nvram? Does your vpn IP show up here? I suspect the VPN by passes skynet. Idk if this is the intended behavior.

It does not indeed
So, looks like skynet does not support the openvpn interface currently?

ipset list | grep nvram

149.112.112.112 comment "nvram: dnspriv_rulelist"
1.0.0.2 comment "nvram: dnspriv_rulelist"
1.1.1.2 comment "nvram: dnspriv_rulelist"
9.9.9.9 comment "nvram: dnspriv_rulelist"
xxx.xxx.xxx.xxx comment "nvram: wan0_ipaddr"

 

[SomeWhereOverTheRainBow]

It does not indeed
So, looks like skynet does not support the openvpn interface currently?

ipset list | grep nvram

149.112.112.112 comment "nvram: dnspriv_rulelist"
1.0.0.2 comment "nvram: dnspriv_rulelist"
1.1.1.2 comment "nvram: dnspriv_rulelist"
9.9.9.9 comment "nvram: dnspriv_rulelist"
xxx.xxx.xxx.xxx comment "nvram: wan0_ipaddr"

Well from looking at the skynet script, I see brief sections that give lipservice to the tun+ interfaces in the skynet_IoT. Hence why I was asking for little bits of information for comparison. I have not seen any skynet rules in your iptables relating to the tun+ interfaces, so it appears what you are asking is not supported. If you are clever enough, you might be able make your own rules to achieve your desired results using the existing skynet ipsets. You would definitely need to be confident and knowledgeable in such matters as you would need to appropriately test whatever rules you come up with.

 

[belleDESiRE]

Well from looking at the skynet script, I see brief sections that give lipservice to the tun+ interfaces in the skynet_IoT. Hence why I was asking for little bits of information for comparison. I have not seen any skynet rules in your iptables relating to the tun+ interfaces, so it appears what you are asking is not supported. If you are clever enough, you might be able make your own rules to achieve your desired results using the existing skynet ipsets. You would definitely need to be confident and knowledgeable in such matters as you would need to appropriately test whatever rules you come up with.

I guess this is not only me seeing this, but probably all merlin users running an openvpn (and probably also wireguard) server on their router together with skynet?

A bit too much for my current knowledge and understanding to script this out, as you mention.
Anyways I could create an issue on github and see if somebody is kind/willing to add this to skynet. What do you think?

Anyways, thanks for the above checking and assisting, appreciated!

 

[Viktor Jaep]

I was hoping I would see something that would indicate why, but no luck. Maybe someone else who uses a VPN might have some advice. @Viktor Jaep do you maybe know whats going on here?

Sorry... I'm not using the VPN server... just clients.

 

[SomeWhereOverTheRainBow]

Sorry... I'm not using the VPN server... just clients.

It's okay. Hope you are doing well.

 

[belleDESiRE]

This has just been fixed by Adamm00 in skynet v7.5.3
Tested on my router just now, I see the vpn clients' outbound requests connected to my openvpn server running on the router being blocked.

Pretty cool! Tx!

 

[SomeWhereOverTheRainBow]

Nice work @Adamm