[SOLVED] Openvpn - harden + auto disconnect

ntran · January 23, 2019, 7:08pm

Hello!
First of all, thank you all for being a very supportive forum. I installed openvpn on my archer C50 and on my 50Mbit connection, I have ~10Mbit up when connected to the router on openvpn over Wi-Fi.

My current setup is as follows:

So far, everything works with any client connecting to the openwrt router being routed over the vpn. Now, I recently noticed that I can "see" other devices connected to my VPN provider. This is scary since some of them have open ssh ports and I can also view the configuration pages of some of their routers. I'm not evil so I didn't try to bruteforce myself in or try to login with default values of some routers I saw. I would like to protect my connected devices and/or openwrt router from any incoming traffic that's not from the web. So far, I have my archer c50 configured like this:

So to my question:

How can I block any clients connected to the vpn provider from "seeing" my devices
How can I block dns requests if the VPN is disconnected
Is there a quick and dirty way of disconnecting the vpn once there are no clients connected? I have a maximum of 2 clients at any time connected

/etc/config/dropbear
config dropbear
	option Port '22'
	option Interface 'lan'
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'

/etc/config/firewall
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpnclient'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'vpnclient'

config forwarding
	option dest 'vpnclient'
	option src 'lan'
```




```
/etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up &>/dev/null) && (! iptables -C forwarding_rule -j REJECT &>/dev/null); then
        iptables -I forwarding_rule -j REJECT &>/dev/null
fi
```

lleachii · January 23, 2019, 7:51pm

Change you VPN interface firewall settings to INPUT-DROP or INPUT-REJECT.
If you assign the IPs directly to the clients, nothing needs to be done

trendy · January 24, 2019, 10:36am

As a faster and simpler solution I'd suggest to assign the VPN interface to the WAN zone in the firewall. You are anyway doing the same now, but if you want to change something, you'd have to do it twice for WAN and VPNCLIENT zones.

ntran · January 24, 2019, 9:00pm

I thought that is what I did there. I hope I'm not missing anything.

Yes, my clients get an IP from the archer c50 running openwrt. I thought that if I can see the other devices, maybe they too can see my devices. I'm not really good at iptables and routing.

ntran · January 24, 2019, 9:02pm

Hey, won't that mean that when the VPN goes down I get clients using my private VDSL network which is at the WAN port? The way that is set up right now, if the openwrt device can't connect to the vpn then no clients have web access, except for dns name resolutions, which I want to also block if VPN goes down or is disconnected manually.

trendy · January 24, 2019, 11:30pm

I didn't suggest that, it is not clear from the configuration snippets you posted. What I noticed is that VPNCLIENT and WAN zones have exactly the same policies (and both connect you to the internet), so you could merge them into one.

No, the default configuration is pretty much fine.

I presume you mean that you have an IP 10.0.0.10 from your VPN provider and you tried to ping or browse e.g 10.0.0.11 and you got a reply or a webpage.
This shouldn't be allowed by the VPN.

ntran · January 28, 2019, 9:24pm

Yes, I get an ip from that range and can ping others connected to the VPN provider. So there is no configuration I can do that will prevent them from "seeing" me?

Ah yes, what about dns queries? any possibility of blocking them from being resolved by the router's default DNS (I guess this has to be set, otherwise the router cannot connect to my VPN provider) as long as the tunnel isn't up?

Regards

ntran

trendy · January 28, 2019, 9:40pm

First of all, the VPN provider shouldn't allow that.
Other than that your configuration is quite fine not allowing others to probe your router. Just be as careful as you would be on the internet.

You can use the NS of your ISP. As soon as you connect to the VPN you won't be able to use them, since the default gateway will be via the VPN. Otherwise you can add hosts entries for the VPN endpoints, so that you can connect to the VPN without NS. Or you can connect with IPs only.

ntran · February 9, 2019, 9:46pm

Thank you. I solved it by switching providers. I wrote my old one an email but they didn't respond. I am thinking it's time to roll my own server >D

tmomas · February 19, 2019, 9:54pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.