Nested VPN Tunnel / How to Strictly Lockdown the Firewall?

Inscribe · August 22, 2021, 4:07am

Hey masters and novices.

I need advice to add these firewall rules.
Please give instructions on how to add them with LUCI interface for ease of use because I will probably enable/disable or tweak the rules later on.

RULES

PC (IP: 1.1.1.1:8) can only connect to PC'S VPN SERVER (IP: 20.20.20.20:9) UDP
ROUTER (IP: 10.10.10.10:8) can only connect to ROUTER'S VPN SERVER (IP:2.2.2.2:9) UDP
ROUTER can also connect to ISP to get it's IP as usual. (default port 68 allow rule enough?)

EVERYTHING ELSE including NTP, ping, trace etc will be blocked.
Unless you think there's something absolutely required that I'm missing.

Inscribe · August 27, 2021, 7:57pm

Bump. Please help!

Inscribe · August 28, 2021, 10:29pm

Bumptyy !!!

vgaetera · August 29, 2021, 3:06am

VPN typically depends on NTP which expects working DNS.
So, we do not restrict the router's own traffic, but only its clients.
You can create a separate firewall zone for the VPN interface.
Replace the LAN to WAN forwarding with LAN to VPN.
Also implement split-DNS to avoid DNS leak.

Inscribe · August 30, 2021, 7:45am

Do you mean it shouldn't work without NTP client? Because it has been working for me. I don't know if it can cause any harm to use it without ntp. But I can still enable it and open port 123 for NTP on WAN if that's necessary.

I already have a seperate firewall zone for VPN and already replaced LAN-WAN with LAN-VPN forwarding.
But I still need a way to configure the firewall for them.

vgaetera · August 30, 2021, 10:02am

Without NTP, the time sooner or later becomes out of sync leading to a deadlock.
This often happens at startup on embedded systems which have no RTC.

mk24 · August 30, 2021, 9:08pm

OpenWrt has an NTP server built in (but disabled by default). You could allow the PC to the local router NTP but not general NTP on the Internet.