Hi All,
Apologies in advance for my lack of knowledge with setting up openvpn in openwrt.. but i'm here to listen and learn...
I've setup a VPN client on my WRT1200ac (OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152) which appears to correctly start as I followed this guide from the VPN provider.
However the issue I need assistance with is setting up the firewall to direct all traffic (both LAN & Guest Interfaces) through the VPN and for all traffic to drop if/when the VPN disconnects.
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Here is my interface setup:
Summary
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd40:6bbe:b095::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option peerdns '0'
option dns '168.1.79.238 54.66.128.66'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'guest'
option ifname 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
option type 'bridge'
config interface 'VPN_NET'
option ifname 'tun0'
option proto 'none'
Here is my current Firewall setup:
Summary
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone 'guestzone'
option name 'guestzone'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding 'guestzone_fwd'
option src 'guestzone'
option dest 'wan'
config rule 'guestzone_dhcp'
option name 'guestzone_DHCP'
option src 'guestzone'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule 'guestzone_dns'
option name 'guestzone_DNS'
option src 'guestzone'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
&& Here is the suggested firewall from the VPN Provider:
Summary
mv /etc/config/firewall /etc/config/firewall.orig
cat >> /etc/config/firewall << EOF
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan'
option input 'ACCEPT'
config zone
option name 'VPN_FW'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'VPN_NET'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'VPN_FW'
option src 'lan'
EOF
Here is my VPN log for good mesure, there's a couple errors which may need to be resolved?:
Summary
Wed Nov 7 18:15:55 2018 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Nov 7 18:15:55 2018 library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
Wed Nov 7 18:15:55 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Nov 7 18:15:55 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]46.36.203.7:1194
Wed Nov 7 18:15:55 2018 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Nov 7 18:15:55 2018 UDP link local: (not bound)
Wed Nov 7 18:15:55 2018 UDP link remote: [AF_INET]46.36.203.7:1194
Wed Nov 7 18:15:55 2018 TLS: Initial packet from [AF_INET]46.36.203.7:1194, sid=e2bbb398 0ba7734c
Wed Nov 7 18:15:58 2018 VERIFY OK: depth=1, C=SC, ST=Mahe, L=Victoria, O=Global Stealth, Inc., OU=VPN, CN=Global Stealth, Inc. CA, name=serverlocation-key, emailAddress=admin@serverlocation.co
Wed Nov 7 18:15:58 2018 VERIFY OK: depth=0, C=SC, ST=Mahe, L=Victoria, O=Global Stealth, Inc., OU=VPN, CN=.serverlocation.co, name=serverlocation-key, emailAddress=admin@serverlocation.co
Wed Nov 7 18:16:00 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Wed Nov 7 18:16:00 2018 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Wed Nov 7 18:16:00 2018 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Nov 7 18:16:00 2018 [.serverlocation.co] Peer Connection Initiated with [AF_INET]46.36.203.7:1194
Wed Nov 7 18:16:01 2018 SENT CONTROL [*.serverlocation.co]: 'PUSH_REQUEST' (status=1)
Wed Nov 7 18:16:01 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 54.93.169.181,dhcp-option DNS 212.71.249.225,route-gateway 10.2.0.1,topology subnet,ping 10,ping-restart 30,ifconfig 10.2.0.25 255.255.255.0'
Wed Nov 7 18:16:01 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Nov 7 18:16:01 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Nov 7 18:16:01 2018 OPTIONS IMPORT: route options modified
Wed Nov 7 18:16:01 2018 OPTIONS IMPORT: route-related options modified
Wed Nov 7 18:16:01 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Nov 7 18:16:01 2018 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
Wed Nov 7 18:16:01 2018 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Wed Nov 7 18:16:01 2018 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov 7 18:16:01 2018 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
Wed Nov 7 18:16:01 2018 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Wed Nov 7 18:16:01 2018 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov 7 18:16:01 2018 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Wed Nov 7 18:16:01 2018 TUN/TAP device tun0 opened
Wed Nov 7 18:16:01 2018 TUN/TAP TX queue length set to 100
Wed Nov 7 18:16:01 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Nov 7 18:16:01 2018 /sbin/ifconfig tun0 10.2.0.25 netmask 255.255.255.0 mtu 1500 broadcast 10.2.0.255
Wed Nov 7 18:16:01 2018 /sbin/route add -net 46.36.203.7 netmask 255.255.255.255 gw 202.142.132.1
Wed Nov 7 18:16:01 2018 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.2.0.1
Wed Nov 7 18:16:01 2018 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.2.0.1
Wed Nov 7 18:16:01 2018 Initialization Sequence Completed
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
The issue with the suggested firewall I have, is I get a DNS resolve error with chrome and it cuts all traffic from LAN to WAN.
If anyone could throw suggestions on how to correctly setup a firewall with the above requirements and if there's any issue(s) with the VPN which need to be resolved.
Thank you all