SCRIPT that forces all traffic through one port + MAC randomizer

3rd post from a total NOOB.

Is there any way to force all the traffic that goes through the router to only use my OpenVPN port?

Also, is there any way to hide or randomize the MAC addresses of the users that connect to my router? This is to ensure better security and to randomize the internet traffic.

Yes, that is a typical configuration for a VPN. Several tutorials/guides on OpenWrt.org

https://openwrt.org/docs/guide-user/services/vpn/start

MAC addresses are link-local, so they aren’t present once forwarded (namely they aren't there once on the way to your ISP's router or over a typical VPN link).

1 Like

@Jeff. Thanks again. Regarding the MAC addresses. Is that how all routers work or is this feature built into OpenWRT?

It's more how Ethernet / 802.11 works. The MAC address is the address on the media itself. Here's an example:

Client A wants to sent a packet to 1.2.3.4. 1.2.3.4 isn't in its routing table, so it uses the default route of 192.168.1.1. It sends an ARP packet, "Who has 192.168.1.1?" and your router responds "192.168.1.1 is at 11:11:11:11:11:11:11".

Client A crafts an Ethernet packet containing an IP packet with

  • Source MAC 22:22:22:22:22:22
  • Dest MAC 11:11:11:11:11:11
  • Source IP 192.168.1.2
  • Dest IP 1.2.3.4
    and puts it on the wire.

Your router's Ethernet card recognizes 11:11:11:11:11:11 as it flies past on the wire and grabs it. It discards the Ethernet header and looks at the IP header. It's to 1.2.3.4, which the routing table says goes by the WAN to the ISP (or over the VPN, or...). The router already knows that the ISP's router is at MAC address 44:44:44:44:44:44, so it sends a packet with its WAN MAC (33:33:33:33:33:33) as the source in that direction:

  • Source MAC 33:33:33:33:33:33
  • Dest MAC 44:44:44:44:44:44
  • Source IP 123.123.123.123 (NAT-ed by the router
  • Dest IP 1.2.3.4

Each router in the chain does the same, using its MAC address as the source and the next-hop router's as the destination MAC.

1 Like

@Jeff, wow, thanks for the explanation. I was asking about all the traffic going through my VPN because I read that some keyloggers send the keystrokes through an open port to a server ip somewhere. It is this kind of traffic that I want to disable.

This, past good virus protection, really needs an IDS -- Intrusion Detection System. You need to look at packet signatures or contents, not just hosts. There are a few open-source contenders out there, Snort has been around for a while, Suricata is newer. Either require quit a bit of CPU to handle more than a trickle of traffic.

VPN protects your traffic from MITM attacks, it doesn't protect your local system from malware.

1 Like