Restricting access to OpenVPN server via iptables

[wrtuser]

Hi! I’m allowing access to my OpenVPN server only for predefined ipset via rewriting existing iptables rules using openvpn-event user script.

What I’m currently doing: in openvpn-event I’m rewriting standard openvpn rule like:

if iptables -C INPUT -p $proto -m $proto --dport $server_port -j ACCEPT; then
    iptables -D INPUT -p $proto -m $proto --dport $server_port -j ACCEPT
    iptables -I INPUT -p $proto -m set --match-set allow_ip src --dport $server_port -j ACCEPT
    logger -t "$scr_name" "Completed"
else
    # TBD...
    logger -t "$scr_name" "Failure: iptables rule not found to replace in the INPUT chain!"
fi

The same way I rewrite NAT rules. This works fine and is persistent between router reboots until I change something via GUI which causes iptables reload and my rule “iptables -I INPUT -p $proto -m set --match-set allow_ip src --dport $server_port -j ACCEPT” is rewritten back by original rule “iptables -C INPUT -p $proto -m $proto --dport $server_port -j ACCEPT” set by /etc/openvpnX/server/fw.sh.



What is the proper way to rewrite standard openvpn server rules set by fw.sh to make changes persistent between configuration changes which affects iptables?

And where /etc/openvpnX/server/fw.sh can be called during the changes within GUI which affects iptables?

386.4, RT-AC88U

 

[RMerlin]

The openvpn-event script is the correct location. Look at the specific event type however before determining what to do (through the $script_type variable value).

User scripts

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

And where /etc/openvpnX/server/fw.sh can be called during the changes within GUI which affects iptables?

The script should be called whenever the firewall gets restarted.

 

[wrtuser]

Many thanks @RMerlin, I added rewriting of fw.sh default rules in my openvpn-event script, and now my custom iptables rules are persistent between firewall restarts too.