Client VPN Inbound Firewall = Allowed!?

[Dogzdongliz]

Hi everyone, my first post so a little nervous.

I'm after some advice on the way I've set up my home network.

A little background...

My current setup is a basic AC87U running Merlin, I use DDNS & VPN into my network when away.

The only port I every have open is 34200 for plex for remote access for friends, everything else
I access via the AC87U VPN server.

My home network consists of the usual stuff Xbox's, smartphones, wireless speakers etc. I run an unraid server, have the basic dockers, plex, sab, radarr, sonarr, transmission & pihole.

Transmission & Sab go through a VPN client configured on the AC87U.

This setup has served me well for years, but something has come along that's very tempting.

"Vodafone Unlimited data plans".

On my home broadband connection, my speeds are 27Mbps down & 8Mbps up, this is not to bad, but Vodafone gives me 180Mbps down & 40 up!

Now after some testing with a Vodafone sim & a 4G router in modem mode, I.ve come across a pitfall.

It seems that Vodafone uses carrier-grade nat & it's causing me havoc with my VPN server & plex remote access, due to the double natting.

The first thing I concentrated on was Plex remote access & I now have a working but I'm not entirely sure if it's safe & what consequences this setup has.

I use Torguard for my VPN provider & they allow port forwarding, so I setup a port forward (33445) & made the vpn client on my AC87U connect to the same IP every time.

The setup is as follows;
Plex (192.168.1.15) routed via AU87u built-in VPN client to torguard.
iptables set on the AC87U are set as follows;

iptables -I FORWARD -i tun15 -p udp -d 192.168.1.15 --dport 33445 -j ACCEPT
iptables -t nat -I PREROUTING -i tun15 -p udp --dport 33445 -j DNAT --to-destination 192.168.1.15

Now, this is the bit that concerns me, for this to work, I need to change the "Inbound Firewall" to "allow" on the client VPN settings page.

I'm now sure what else this is allowing in from the VPN, I'm hoping someone will be able to educate me a little.

If the above is ok, my next plan is to run a OpenVPN server on the network and apply the same methodology as the plex server.

Look forward to some replies, & hopefully not "SHUT IT DOWN NOW" lol

Cheers
Dogz

 

[ColinTaylor]

Now, this is the bit that concerns me, for this to work, I need to change the "Inbound Firewall" to "allow" on the client VPN settings page.

Until the most recent release of Merlin this option never existed. So in effect it was always set to "allow". This is not an issue with regards to general access to your network from the public internet because your connection is NATed through the VPN providers network which would block unsolicited incoming connection attempts. The exception of course is the single port that you have deliberately asked the provider to forward for you.

The firewall option is there to stop your VPN provider (or someone who has direct access to their internal network - think government agency) acting maliciously and trying to remotely access your network through the tunnel. Of course this would still require a lot of dedicated effort and devices on your LAN like Windows PC's would still have their own firewalls to stop intrusion, but it's theoretically possible. Unless you're an exceptionally high-value target I can't see this being a realistic scenario.

 

[eibgrad]

You do NOT need to change the "Inbound Firewall" option to Allowed. Leave it as Blocked. Just as the GUI blocks all connections initiated inbound from the internet into the WAN by default, but allows you to define exceptions via port forwarding, the same is true of the Inbound Firewall option on the OpenVPN client. All traffic initiated inbound from the internet on the VPN tunnel is blocked by default, unless you similarly define exceptions, which is just what you did.

You would typically only change the "Inbound Firewall" option to Allowed for a bidirectional (aka, site-to-site) tunnel, where you completely trust the server side of the tunnel to initiate *any* connections inbound.

 

[Dogzdongliz]

Thanks everyone.
Just turned on blocking and it’s working, despite plex saying the contrary.

 

[Dogzdongliz]

Looking at VPN server options.

Does anyone know if it’s possible to get the AC87’s vpn server to actually tunnel through the vpn client ?

 

[Val D.]

You do NOT need to change the "Inbound Firewall" option to Allowed. Leave it as Blocked.

I use NordVPN and for some reason it doesn't work if Inbound Firewall is set to Blocked. Could be something VPN server specific, never bothered to investigate. Don't want to change the server though because it's very fast and very reliable. I'm getting constantly >200Mbps every time I check the speed and it disconnects only when I unplug the router.

 

[eibgrad]

Looking at VPN server options.

Does anyone know if it’s possible to get the AC87’s vpn server to actually tunnel through the vpn client ?

You'll need to use the Manage Client-Specific Options section on the OpenVPN server config to define the local network behind the OpenVPN client (and reference that OpenVPN client based on its common name on the cert). And, of course, change Inbound Firewall to Allow.

 

[eibgrad]

I use NordVPN and for some reason it doesn't work if Inbound Firewall is set to Blocked. Could be something VPN server specific, never bothered to investigate. Don't want to change the server though because it's very fast and very reliable. I'm getting constantly >200Mbps every time I check the speed and it disconnects only when I unplug the router.

Doesn't work for what? Just in general, or specifically for VPN port forwarding purposes?

 

[Val D.]

Doesn't work for what?

Does not connect at all or works for a while, then disconnects and doesn't auto re-connect. The moment I change Inbound Firewall to Allowed, the problem disappears. Again, could be something specific to NordVPN server settings, the one I connect to. Asuswrt-Merlin before 384.12 did not have this option.

 

[Marin]

Does not connect at all or works for a while, then disconnects and doesn't auto re-connect. The moment I change Inbound Firewall to Allowed, the problem disappears. Again, could be something specific to NordVPN server settings, the one I connect to. Asuswrt-Merlin before 384.12 did not have this option.

I have had NordVPN for a few years now and so far have not experienced any issues with the Firewall setting in terms of speed or disconnects. I have had some occasional disconnects but cannot pinpoint them to this particular setting.

However, I do find the wording used for this setting somewhat confusing considering what it is supposed to do but maybe it is just me:

“Block Firewall or Allow Firewall”? So, is allowing firewall same as turning/leaving it on? My simple view of a firewall is to block something malicious. So when you block something that “blocks” something else then that must mean that you are turning it off?[emoji36]

It would be easier to have it shown as:

Firewall: On or Off

My 2 cents.


Sent from my iPhone using Tapatalk

 

[eibgrad]

No obvious reason the OpenVPN server would need to be initiating connections inbound over the tunnel, which is what that option is blocking by default. Did you happen to notice if the blocking rules were getting any hits while the option was set to Blocked?

iptables -vnL OVPN

If not, then most likely it's just a coincidence and something else is at play.

If you keep it set to Allowed, you could add the following firewall rules and monitor them to determine if there are still attempts to initiate inbound connections.

iptables -I INPUT -i tun11 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i tun11 -m state --state NEW -j ACCEPT

I'm assuming OpenVPN client #1 (tun11), so change the network interface accordingly if it's client #2 (tun12), etc.

Again, if the packet counts on either rule are > 0, then perhaps there's some relevance (although I would need more information to determine what that was, e.g., tcpdump).

 

[Val D.]

If not, then most likely it's just a coincidence and something else is at play.

It is working now, same server. I'm going to leave it as Blocked and monitor the connection.

 

[Chuckles67]

Using NordVPN as a VPN Client on AC68U with 384.15 I experience problems with Inbound Firewall > Block, such as:
- AT&T WiFi calling with iPhone8+ does not connect
- Mac OS Terminal internet queries fail, such as ping <>, and nslookup <>
Setting Inbound Firewall > Allow fixed the above problems. However, reading this post made me uneasy to keep Inbound Firewall > Allow.

I'm not sure how this helps, but I replaced the custom configuration with the following:

resolv-retry infinite
remote-random
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
remote-cert-tls server
pull
fast-io

With this and Inbound Firewall > Block, the above problems do not happen

I'm using: us4353.nordvpn.com.udp1194.ovpn

The earlier replaced custom configuration was (copied from https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm):
remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

#log /tmp/vpn.log