Using iptables with static IP OpenVPN clients.

[GoldenEye]

I have setup an OpenVPN server on my RT-AC66U_B1 running Asuswrt-Merlin v380.69.

Thanks in part to the script found here https://www.snbforums.com/threads/how-to-set-a-static-ip-to-openvpn-tun-clients.37983/#post-315194 I have the clients working with static IP's when they connect.

My next step is to put some filtering on what aspects of the network they can access, for example on one client I would like to block access to the routers control interface, in another I want to block off everything except a single port on one IP.

I have been having difficulty finding information on how to properly configure these IP table rules in Asuswrt-Merlin.

I'm aware of the firewall-start and nat-start scripts, but am not completely certain how to chain up all the rules as several prior attempt have failed.

If anyone could give me some insight or better yet some example rules it would be greatly appreciated.

 

[Martineau]

My next step is to put some filtering on what aspects of the network they can access, for example on one client I would like to block access to the routers control interface, in another I want to block off everything except a single port on one IP.

Does this help? (Can be inserted where you set the static IP or even in the appropriate openvpn-event vpnclientX-* trigger)

# Block default 'allow any from tun2x to any'
logger -st "($(basename $0))" $$ "Block ALL ports inbound from Openvpn" $INSTANCE "to local LAN"
iptables -D FORWARD -i $dev  -j ACCEPT
iptables -D INPUT   -i $dev  -j ACCEPT

# Allow tcp 445 inbound to NAS
logger -st "($(basename $0))" $$ "Allow port 455 inbound from Openvpn" $INSTANCE "to NAS (192.168.1.xxx)"
iptables -I FORWARD -i $dev -o br0 -m conntrack --ctstate NEW -p tcp --syn --dport 445 -d 192.168.1.xxx -j ACCEPT

 

[GoldenEye]

Does this help? (Can be inserted where you set the static IP or even in the appropriate openvpn-event vpnclinetX-* trigger)

# Block default 'allow any from tun2x to any'
logger -st "($(basename $0))" $$ "Block ALL ports inbound from Openvpn" $INSTANCE "to local LAN"
iptables -D FORWARD -i $dev  -j ACCEPT
iptables -D INPUT   -i $dev  -j ACCEPT

# Allow tcp 445 inbound to NAS
logger -st "($(basename $0))" $$ "Allow port 455 inbound from Openvpn" $INSTANCE "to NAS (192.168.1.xxx)"
iptables -I FORWARD -i $dev -o br0 -m conntrack --ctstate NEW -p tcp --syn --dport 445 -d 192.168.1.xxx -j ACCEPT

Thanks for the quick reply, the openvpn-eventvpnclinetX-* trigger that you mention, is this simply the openvpn-event script or something more.

 

[Martineau]

Thanks for the quick reply, the openvpn-event vpnclientX-* trigger that you mention, is this simply the openvpn-event script or something more.

The RMerlin Wiki describes script openvpn-event but @john9527 provides a template (highly recommended as an unofficial script standard) [Fork] Asuswrt-Merlin 374.43 LTS releases (V29E2) which should be used as-is; simply copy'n'paste to /jffs/scripts/openvpn-event.

This template now allows individual scripts (easier to identify by their descriptive name) to be created for any of the openvpn-event triggers

e.g. vpnclient1-up or vpnserver2-down etc.

rather than having to keep adding code direct into script openvpn-event which can then become difficult to maintain.