SSH & Web Access is accessible over WAN even though this option is disabled!

[armedmetallica]

Did you try scan/try the IP address of the Open VPN connection? Or the normal WAN IP address?

I can reproduce it on my router with those steps:

- Router is switched on. No Open VPN running. I get the WAN IP address AAA.AAA.AAA.AAA from my provider. I do a portscan on this AAA.AAA.AAA.AAA address --> all ports closed (as it should be)

- I start the OpenVPN connection. All my outgoing traffic is now sent over the VPN. I get a VPN address BBB.BBB.BBB.BBB. Thus the router has now two external IP addresses AAA.... and BBB...

- I do a portscan on AAA.AAA.AAA.AAA --> still all ports closed.

- I do a portscan on BBB.BBB.BBB.BBB --> port 80 (router web interface) and port 22 (ssh) is open and accessible from outside.


My issue is: if you do not know this behaviour and you use OpenVPN for your outgoing traffic e.g. due to privacy or censorship reasons, you are always opening access to ssh and webinterface to the outside as well. Basically I was exposing those access to the outside for months without knowing (thank god I have a strong admin password), and only stumbled upon it by accident due to the strange entries in the logfile.

I preface by saying i don't know much about this setup...

BUT - if you were to use a 3rd party connection (say a cell phone that is not connected to your home lan, or a neighbor's connection) and you browse your IP's SSH port or Port 80, do you get to your router's SSH/Port 80 page?

I'm wondering if the bbb ip is a shared IP - and they the ISP has these ports on, but forwarding to a server/services on their local LAN?

EDIT:
IGNORE THIS - i didn't realize all of page two existed and covers pretty much this exact question. I will exit stage, right.

 

[Builder71]

I tried the iptables command (with my corresponding VPN tun interface number) and it definitely does something, i.e. blocks the ports. However at the same time the router gets completely unresponsive until all traffic stops. I can then only reboot the router to fix it. I guess it creates a loop somewhere or filters too much... I am not really familiar with iptables #newb

But the general direction is right I guess. I just have to find the right iptables setting to block the ports and add that then to the right trigger script. Or maybe I should just let it be and simply use a super complex password instead...

Don't quit here!

First, did you asked your VPN provider what the f... they are doing?
Sounds weird they don't offer some kind of NAT firewall service for your VPN.

Can you try:

iptables -I INPUT -i tun21 -p tcp --dport 80 -j DROP

or

iptables -I PREROUTING -i tun21 -p tcp --dport 80 -j DROP

to see if that makes your router web page unreachable?

(Make sure to use the correct VPN tun interface number.)

 

[sinshiva]

ok, the firewall does this for the normal wan side;

iptables -A PREROUTING -d WANIP -j VSERVER

so, i think it might be better to try something like

iptables -A PREROUTING -d INTERNAL_VPN_IP -j DROP

rather than using the interface. perhaps there's an nvram variable that would accommodate the script.

if so, it would become something like;

iptables -A PREROUTING -d `nvram get INTERNAL_VPN_IP` -j DROP

to look look through the nvram variables, use 'nvram show' or 'nvram show > /mnt/sda1/nvram_vars.txt' and view it as a text file

 

[RMerlin]

I would try only dropping packets with a connstate state of NEW.

 

[sinshiva]

I would try only dropping packets with a connstate state of NEW.

iptables -A PREROUTING -d INTERNAL_VPN_IP -m state --state NEW -j DROP

to elaborate on RMerlin's suggestion

 

[d0m]

First of all: Thanks a lot to you all for the help and great support so far! A lot of learning for me, coming from a relatively "dumb" router before.

A quick explanation why my VPN provider does not NAT me: this is actually a feature and not a bug. They provide on request a private and unique IP different from their usual IP range. This helps especially if you are like me in China, and the Chinese government blocking / jamming VPN provider IP ranges again and again. The "own" IP makes my VPN connection much more stable here, however with the downside that it directly leads to my router.

I played around a bit with the proposed iptables commands. It seems that

iptables -I INPUT -i tun0 -p tcp --dport 80 -m state --state NEW -j DROP
iptables -I INPUT -i tun0 -p tcp --dport 22 -m state --state NEW -j DROP

works so far without side effects. The ports are not open anymore if I do a portscan. Yay!
As I mentioned, I am pretty clueless about iptables, and not sure whether it would be better to use the PREROUTING instead of INPUT. So I will just observe the situation now and try the PREROUTING option as well for test.

 

[RMerlin]

First of all: Thanks a lot to you all for the help and great support so far! A lot of learning for me, coming from a relatively "dumb" router before.

A quick explanation why my VPN provider does not NAT me: this is actually a feature and not a bug. They provide on request a private and unique IP different from their usual IP range. This helps especially if you are like me in China, and the Chinese government blocking / jamming VPN provider IP ranges again and again. The "own" IP makes my VPN connection much more stable here, however with the downside that it directly leads to my router.

I played around a bit with the proposed iptables commands. It seems that

iptables -I INPUT -i tun0 -p tcp --dport 80 -m state --state NEW -j DROP
iptables -I INPUT -i tun0 -p tcp --dport 22 -m state --state NEW -j DROP

works so far without side effects. The ports are not open anymore if I do a portscan. Yay!
As I mentioned, I am pretty clueless about iptables, and not sure whether it would be better to use the PREROUTING instead of INPUT. So I will just observe the situation now and try the PREROUTING option as well for test.

The INPUT chain is more efficient if the goal is to prevent connections to your router, as it won't need to be processed for all traffic that goes between your computer and remote servers (which would be the case with PREROUTING).

 

[Builder71]

Well done!

I would combine the two rules and make one that protects all your service ports.

iptables -I INPUT -i tun0 -p tcp --dport 0:1023 -m state --state NEW -j DROP

Make sure it survives a reboot.
Use a script like wan-start or something.

 

[d0m]

Well done!

I would combine the two rules and make one that protects all your service ports.

iptables -I INPUT -i tun0 -p tcp --dport 0:1023 -m state --state NEW -j DROP

Make sure it survives a reboot.
Use a script like wan-start or something.

Great! Thanks! That is even easier. I will try to put it in the openvpn-event.

 

[arnold88]

Well done!

I would combine the two rules and make one that protects all your service ports.

iptables -I INPUT -i tun0 -p tcp --dport 0:1023 -m state --state NEW -j DROP

Make sure it survives a reboot.
Use a script like wan-start or something.

Sorry, I'm a noob in doing scripts but have the same problem with my privateinternetaccess VPN as a client - many ports are open since it bypasses the router's firewall. If I understand correctly, I edit a txt file titled wan-start and put it in the /JFFS/scripts with your above code. Can use WinSCP for easy transfer of the file. Would this be correct? Thanks for your help.

 

[xargs]

I ran into the same or a similar issue a few days ago. I'm using the ASUS as an OpenVPN client, connecting to an OpenVPN server that I'm in control of. I discovered that I could access the router's web interface from the server by using the router's private VPN IP address (10.x.x.x). WAN access to the web interface is disabled.

Since I'm controlling both ends of the link, this isn't too concerning, but if the router were connected to a commercial VPN service, the provider would have access to the router's web interface.

 

[RMerlin]

Have you guys tried setting the Firewall to "External Only" on the OpenVPN client configuration page? Based on the code, it should prevent remote access to your LAN.

 

[halex4u]

Have you guys tried setting the Firewall to "External Only" on the OpenVPN client configuration page? Based on the code, it should prevent remote access to your LAN.

Tested: doesn't work! Asus RT-N66U fw: 374.42

Sent from my Galaxy Nexus using Tapatalk