When I follow the tutorial for openvpn comprehensive I see that the IPtables rules provided under the following section end up just eating all of my traffic and dropping it silently on the floor as the last rule in the Port-Log chain defaults to drop the traffic:
I'm assuming SSH traffic? If you were using the basic version of /etc/firewlall.user(under drop down of same name), I forgot to remove orphaned rules when I split the /etc/firewall.user into a basic and advanced version, which has been corrected.
/etc/firewall.user
#::: Traffic Rules :::#
# LuCI: Network - Firewall - Custom Rules
# These rules make the assumption the default port of 1194 is not used for the VPN
# Port 5000 is being used arbitrarily for the VPN port
# Establish Custom Zones #
#---------------------------------------------------
# Log:
iptables -N LOG-VPN
# Limit:
iptables -N Port-Log
# Establish Ports to Log #
#---------------------------------------------------
# VPN:
iptables -A Port-Log -p tcp --dport 5000 -m limit --limit 3/min --limit-burst 3 -j LOG-VPN
iptables -A Port-Log -p udp --dport 5000 -m limit --limit 3/min --limit-burst 3 -j LOG-VPN
# Default:
iptables -A Port-Log -j DROP
# Apply Port Logging #
#---------------------------------------------------
# VPN:
iptables -I INPUT -p tcp --dport 5000 -m conntrack --ctstate NEW -j Port-Log
iptables -I INPUT -p udp --dport 5000 -m conntrack --ctstate NEW -j Port-Log
# Log VPN Traffic #
#---------------------------------------------------
# VPN:
iptables -A LOG-VPN -j LOG --log-prefix "<[[--- VPN Traffic ---]]> : " --log-level 4
iptables -A LOG-VPN -j ACCEPT
All chains must have a default rule and the default rule for the Port-Log chain is to drop all traffic that doesn't have a specific rule, as the sole purpose of the Port-Log chain is to log VPN or VPN + SSH traffic.
I'm using the Port-Log chain for a dual purpose of rate-limiting the VPN port and logging the traffic that successfully goes through it.