OpenVPN has a complex init process, and it absolutely responds when any system probes or attempts a connection. It's quite chatty and is easily identified as an OpenVPN endpoint. You can certainly use non-standard ports, but many bots/port-scanners will find it simply by probing all of your ports. So if you're worried about hacking/DoS type attacks (even if they aren't successful) as it might impact your connection, you probably are best not using OpenVPN.
It sounds like trying to switch to OpenVPN is a waste of time.
Its about 4am here and the 3Mb internet connection there has been reduced to about a tenth of that. And at times, down to zero.
I'm going to actually be there later this morning so I will simply turn off the PPTP server while I am there. It was necessary to expose two of the cameras directly to the web. They have the IP filter that I talked about earlier. Its not a true filter, but it does lock them out at login.
What's needed right now is a way to remotely switch on the ports so I can leave them disconnected when not in use.
I tried to get OpenVPN working, but it wouldn't connect. The router generated the keys and a setup script, which I copied to the cell phone. But the cell phone could not connect using either of the two programs I tried. So I'm giving up on OpenVPN since it's no better than pptp when it comes to exposing ports.
I did go to Amazon and order an Archer a7 which is compatible with both DD-WRT and openWRT. It will take a few days, but I will be setting it up with WireGuard as soon as I get it.
I may try DD-WRT this time because it has a parental control section as well as a guest access section. I'm not sure why that was left out of openWRT.
Ok... in that case, be sure to ask your questions on the DD-WRT forums. If you stick with OpenWrt, we're here to help.
DD-WRT has a different operating model -- it is a 'monolithic' firmware in that has everything it offers (or certain subsets for devices with less storage) pre-built and you can't install new packages. OpenWrt has a relatively small base system and then a very large repo of packages you can install, as well as a firewall that has a lot of flexibility.
"Parental controls" is a very broad term and can mean different things to different people.
For OpenWrt, see this as a starting point for parental controls. There are other things you can do, too -- such as the features that adguard home offers among others.
I got the new router when I came home. Unfortunately, its version 5.8 not version 5.0. There are several reports about 5.8 not being easy to flash. Lots of them getting locked up, but recoverable. I'm going to try it anyway.
I use parental controls to block windows 10 updates. About 1 out of 10 updates that get through, the system gets corrupted and I have to spend hours fixing what the update broke. The last time the only fix was to format and reinstall. Windows mandates updates which means they have commandeered root access to my computer without my permission.
I've used DD-wrt before and wasn't super happy with it. I might be setting this unit up as a openwrt node for the main AX router so that it can support wireguard.
I don't know that much about dd-wrt but I do know that Tomato can install programs to external flash and run them without any problem.
You don't really need parental controls for this... simply create DNS entries for the windows update servers so that it won't resolve to the real thing and therefore will just die. You can resolve localhost (127.0.0.1) and that will stop Windows updates from happening. Or, if that doesn't do it (like if they use DoH or DoT, or pre-defined DNS servers in general), you can create firewall rules to specifically block access to those servers.
Use whatever firmware makes sense for you, but try to make a choice and go with it -- the more time you spend waffling, the more time and energy you will waste on this task.
If I had a choice, I would go with Tomato and stay there, but unfortunately, the Tomato developers are not supporting a lot of modern routers. You have to go with what runs on the router.
I had previously used the hostnames feature of openwrt to list all the update servers there and that stopped my testing attempts at accessing those servers. However, M$ update was not even slowed down. They must be using an external DNS of some kind. I would have no way of knowing what the address is in order to block it.
I think the way that others are blocking it are by examining all DNS requests and stopping the ones requesting the update urls. What might work is some kind of forwarding rule that forwards all DNS requests back to the router where the hostnames entry would take precedence.
Ideally, something that simply monitors DNS requests to any server and examines them for the unauthorized urls. Then returns 127.0.0.1 if one is found. That might be possible with IpTables string search, but I don't know for sure. There would likely have to be a string search entry for each update url. Too many string searches can slow down a router a lot.
I'll be working on flashing the A7 today. My options are OpenWrt, DD-Wrt, OpenWrt with Wireguard as a node under the main TP-Link. But getting it to flash is the first order of business.
I went ahead and installed OpenWrt on the new TP-Link Archer A7 router. The DD-WRT page says that theirs is a work in progress so not everything works. So I think I'll be better off with OpenWrt since I am more familiar with it.
Would you happen to know if the OpenWrt Backups for the Netgear are compatible with the OpenWrt on the TP-Link? It would save me a lot of configuration time if it is.
Backup tarballs are not transferable between different models (different hardware necessitates different means to set up the network hardware, the wireless cards, the LEDs/ GPIOs), not even necessarily between devices of the same model (as they, depending on the device, may contain MAC addresses and similar).
1 Like
+1 to what @slh said. However, some files may be compatible -- such as the firewall and DHCP files. Other files can be selectively copy/pasted (for example, the wireguard section of /etc/config/network could be copied into another system). But don't copy the whole file, and don't attempt to use the backup/restore feature to move a configuration from one device to a different device.
1 Like
I may need to start another thread regarding the windows update blocking, but I found this on another site, would it work?
</sbin/iptables -I INPUT -p udp --dport 53 -m string --hex-string "|03|www|07|example|03|com|"
--algo bm -j DROP/>
This assumes that IPv6 is blocked system wide by the router so it can't sneak out that way.
I was looking at the section about ipsets, but it sort of looks like its just resolving the domain names and adding just the IP addresses. That's probably not going to work right.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.