Openvpn comprehensive guide error in #logging section


#1

When I follow the tutorial for openvpn comprehensive I see that the IPtables rules provided under the following section end up just eating all of my traffic and dropping it silently on the floor as the last rule in the Port-Log chain defaults to drop the traffic:

https://openwrt.org/docs/guide-user/services/vpn/openvpn/comprehensive#logging

Removing the firewall rules in that section (in firewall.user) allow traffic to flow normally.

@jw0914 I don't know if I need permission to edit this page, but I think we should put a warning up or take that section out.

Running OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152).


#2

I'm assuming SSH traffic? If you were using the basic version of /etc/firewlall.user (under drop down of same name), I forgot to remove orphaned rules when I split the /etc/firewall.user into a basic and advanced version, which has been corrected.

/etc/firewall.user

#::: Traffic Rules :::#
# LuCI: Network - Firewall - Custom Rules

  # These rules make the assumption the default port of 1194 is not used for the VPN
    # Port 5000 is being used arbitrarily for the VPN port


    # Establish Custom Zones #
#---------------------------------------------------

# Log:
  iptables  -N  LOG-VPN

# Limit:
  iptables  -N  Port-Log


    # Establish Ports to Log #
#---------------------------------------------------

# VPN:
  iptables  -A  Port-Log  -p  tcp   --dport   5000  -m  limit       --limit   3/min   --limit-burst   3   -j  LOG-VPN
  iptables  -A  Port-Log  -p  udp   --dport   5000  -m  limit       --limit   3/min   --limit-burst   3   -j  LOG-VPN

# Default:
  iptables  -A  Port-Log                                                                                  -j  DROP


    # Apply Port Logging #
#---------------------------------------------------

# VPN:
  iptables  -I  INPUT     -p  tcp   --dport   5000  -m  conntrack   --ctstate NEW                         -j  Port-Log
  iptables  -I  INPUT     -p  udp   --dport   5000  -m  conntrack   --ctstate NEW                         -j  Port-Log


  # Log VPN Traffic #
#---------------------------------------------------

# VPN:
  iptables  -A  LOG-VPN                                                                                   -j  LOG       --log-prefix  "<[[---  VPN Traffic ---]]> : "         --log-level 4
  iptables  -A  LOG-VPN                                                                                   -j  ACCEPT

All chains must have a default rule and the default rule for the Port-Log chain is to drop all traffic that doesn't have a specific rule, as the sole purpose of the Port-Log chain is to log VPN or VPN + SSH traffic.

  • I'm using the Port-Log chain for a dual purpose of rate-limiting the VPN port and logging the traffic that successfully goes through it.