Openvpn pre-configured?

[rodak]

When I last flashed my router I noticed that openvpn server certs and other stuff was already filled in.
I have generated all that with easyrsa and that is what I'm using.
But my mother lives in Norway and wants to set up openvpn server.
If she flash the latest merlin firmware, is the pre filled certs safe to use and randomly generated? Or does she have to go through the whole easyrsa stuff?
It's kinda hard to explain to her over phone and I'm almost never in Norway.
Regards rodak


Sent from my LG-D802 using Tapatalk

 

[RMerlin]

The automated cert/key generation was added by Asus a few months ago. The first time you enable an OpenVPN server, it will automatically generate these. They might not be as secure (I don't remember what bit strength they used for the key), but for a home user it should be more than enough.

 

[rodak]

Ok, thank you, so all that she need to do is change the advanced settings in "VPN details" to her need and export the configuration file?
Any recommend settings? I simply followed a guide some time ago to get it running on my router.

Security should be better than open ports to her equipment and password protection ;-)

Sent from my LG-D802 using Tapatalk

 

[RMerlin]

Ok, thank you, so all that she need to do is change the advanced settings in "VPN details" to her need and export the configuration file?
Any recommend settings? I simply followed a guide some time ago to get it running on my router.

Security should be better than open ports to her equipment and password protection ;-)

Sent from my LG-D802 using Tapatalk

Most default settings should be fine (it's been a while since I've looked at what they were tho). For crypto, I recommend AES-128-CBC.

 

[rodak]

Thank you, one more question since I already started this thread.
Can I setup a second server at my router so my mother can connect to my router when she wants to watch Netflix in Swedish?
But I don't want her to be able to access my lan, just to redirect her traffic through my swedish ip.
Is this possible? And how should I config the server?
Current configuration allows me to access my lan, and that's the purpose. But the second server should only allow to spoof that she "is" in Sweden.

Sent from my LG-D802 using Tapatalk

 

[faria]

Thank you, one more question since I already started this thread.
Can I setup a second server at my router so my mother can connect to my router when she wants to watch Netflix in Swedish?
But I don't want her to be able to access my lan, just to redirect her traffic through my swedish ip.
Is this possible? And how should I config the server?
Current configuration allows me to access my lan, and that's the purpose. But the second server should only allow to spoof that she "is" in Sweden.

Sent from my LG-D802 using Tapatalk

In the second server if you set (Push LAN to clients) to no then you should achieve what you want i believe.

 

[rodak]

In the second server if you set (Push LAN to clients) to no then you should achieve what you want i believe.

I just tried that, but it's not working.
I soon as I check "Direct clients to redirect Internet traffic" I can access my lan.
"Push LAN to clients" is unchecked.

If I don't redirect Internet traffic, then the regular ip is showed, not the one from the vpn server.

Sent from my LG-D802 using Tapatalk

 

[RMerlin]

I don't think you'll be able to give her access to the Internet without as well getting LAN access, since the router itself sits in the same subnet as the rest of the LAN.

 

[rodak]

I don't think you'll be able to give her access to the Internet without as well getting LAN access, since the router itself sits in the same subnet as the rest of the LAN.

Is it possible some other way? Proxy? PPTP? L2TP? I just want to route her traffic so it appears that she is in Sweden, nothing more.
I'm not so good with all this, I'm not totally new but definitely far from expert.
Maybe some firewall rule to drop all lan traffic for "Server 2"?

Sent from my LG-D802 using Tapatalk

 

[rodak]

Ok, so I found a solution and it´s kinda working:

iptables -I FORWARD -s 10.16.0.0/24 -d 192.168.1.0/24 -j DROP

Is this the correct way to do this?
Now the "Server 2" that is on 10.16.0.0 subnet can't access my LAN, but the router is still accessible.
I understand that I cant block the router this way since it´s needed to redirect the traffic.
I did some research and understand that I can block specific ports at the router to prevent access. But can´t figure out how.
If i want to block webui, ssh, samba etc. is there some firewall rule I can apply? Or will this block the traffic redirect?
And lastly, how can i see all the ports that are open at the router so I can block them all?

Kind regards
rodak

 

[rodak]

Anyone can help me creating this iptables? At least for Web gui, samba, transmission web gui?
Regards

Sent from my LG-D802 using Tapatalk

 

[sinshiva]

iptables -I INPUT -s 10.16.0.0/16 -d 192.168.1.1/32 -p udp -m multiport ! --dports 53,67 -j DROP
iptables -I INPUT -s 10.16.0.0/16 -d 192.168.1.1/32 -p tcp -j DROP
iptables -I INPUT -s 10.16.0.0/16 -d 10.16.0.1/32 -p udp -m multiport ! --dports 53,67 -j DROP
iptables -I INPUT -s 10.16.0.0/16 -d 10.16.0.1/32 -p tcp -j DROP

or something like (doublecheck the name of the tun interface)

iptables -I INPUT -i tun22 -p udp -m multiport ! --dports 53,67 -j DROP
iptables -I INPUT -i tun22 -p tcp -j DROP

 

[rodak]

Thank you. Will try, but won't this drop all tcp traffic?

Sent from my LG-D802 using Tapatalk

 

[sinshiva]

Thank you. Will try, but won't this drop all tcp traffic?

Sent from my LG-D802 using Tapatalk

only directly to the router, thanks to the INPUT chain

 

[rodak]

Ok, thanks, but why only port 53 and 67 for udp? Sorry, but I'm just learning.

Sent from my LG-D802 using Tapatalk

 

[sinshiva]

Ok, thanks, but why only port 53 and 67 for udp? Sorry, but I'm just learning.

Sent from my LG-D802 using Tapatalk

53 is DNS (name resolution) and 67 is DHCP, for obtaining an IP address. although, i'm pretty sure openvpn handles that, but I figured just in case.

[edit/]

feel free to change that line to;

iptables -I INPUT -i tun22 -p udp ! --dport 53 -j DROP

sorry, haven't slept

 

[rodak]

53 is DNS (name resolution) and 67 is DHCP, for obtaining an IP address. although, i'm pretty sure openvpn handles that, but I figured just in case.

[edit/]

feel free to change that line to;

iptables -I INPUT -i tun22 -p udp ! --dport 53 -j DROP

sorry, haven't slept

I used the first solution:

iptables -I INPUT -s 10.16.0.0/16 -d 192.168.1.1/32 -p udp -m multiport ! --dports 53,67 -j DROP
iptables -I INPUT -s 10.16.0.0/16 -d 192.168.1.1/32 -p tcp -j DROP
iptables -I INPUT -s 10.16.0.0/16 -d 10.16.0.1/32 -p udp -m multiport ! --dports 53,67 -j DROP
iptables -I INPUT -s 10.16.0.0/16 -d 10.16.0.1/32 -p tcp -j DROP

It kinda works, I cant access web gui, and transmission, but i still can access my network drive atached to the router (samba?)

 

[sinshiva]

is smb accessible from 10.16.0.1 or only 192.168.1.1 ?

also, try the second option

 

[rodak]

is smb accessible from 10.16.0.1 or only 192.168.1.1 ?

also, try the second option

From my VPN client 10.16.0.6.
I tried the second option and I still can access smb at the vpn server from my vpn client.

 

[sinshiva]

would you mind dumping the contents of /etc/smb.conf here?