Router: Netgear WNDR3700v2
Firmware: OpenWrt Barrier Breaker r40521 / LuCI Trunk (svn-r9964)
I'm currently signed up with an OpenVPN account from StrongVPN and got some challenges for setup the router so the devices only can access Internet, services+++ throw IF the VPN Tunnel (tun0) is up. The issue now is that when the router boots, it shows with REAL IP before the VPN Client starts.
Following is done: (Taken from another guide in this forum)
Part 1: Creating our "VPN" interface/unmanaged switch
Go to Network -> Interfaces.
Create new Interface called VPN.
Protocol: "Unmanaged"/none
Interface: tun0
Part 2: Create VPN Firewall Zone
Go to Network -> Firewall
Create a new zone called "VPN".
Incoming and Outgoing Accepted. Forwarding rejected
Covered Networks: VPN
Part 3: Create Traffic Forward Rules to allow ALL communication between LAN and VPN zones and vice versa.
Go to Network -> Firewall -> Traffic Rules
Rule 1 Name: LAN->VPN
Source Zone: LAN
Destination Zone: VPN
Rule 2 Name: VPN->LAN
Source Zone: VPN
Destination Zone: LANRule 3 Name: OpenVPN
Protocol: UDP
Source: WAN
Destination Port: 4672
Destination Zone: Device
(Added 3 times for port 4672, 123, 53 according to my VPN Config)
In additional, I have done the following for the LAN Firewall:
Network - Interfaces - Firewall - Zones - "lan" Inter-Zone Forwarding is set to VPN.
When "LAN Zone" above is changed from WAN to VPN, all my Internet access is lost offcourse.
Then, I start my VPN Client by the following command: openvpn --cd /etc/openvpn --config ovpn160.ovpn &
The VPN Tunnel start up without errors and I can see some small packets passing through tun0 interface.
But, I can't get out to the big world (Internet) and wondering what I miss...
My VPN Config:
remote 108.171.16.59 4672 udp
remote 108.171.16.59 123 udp
remote 108.171.16.59 53 udp
key-direction 1
cipher AES-128-CBC
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
;http-proxy-retry
;http-proxy 108.171.16.59 80
verb 4
reneg-sec 86400
echo vpn32 ovpn178
tun-mtu 1500
route-method exe
route-delay 2
redirect-gateway def1
comp-lzo no
fragment 1390
mssfix 1390
hand-window 30
Without all the Steps above , but Port forwarding done in the GUI, I can get VPN to work with the Firewall settings below.
I got this from a friend, but not sure if I need all and what everything does.
firewall.user:
#
#Location: /etc/firewall.user
#
#Drop all connections for Remote Access to the router on VPN Interface
#
iptables -I INPUT -i tun+ -p tcp --dport telnet -j DROP
iptables -I INPUT -i tun+ -p tcp --dport ssh -j DROP
iptables -I INPUT -i tun+ -p tcp --dport www -j DROP
iptables -I INPUT -i tun+ -p tcp --dport https -j DROP
iptables -I INPUT -i tun+ -p icmp --icmp-type 8 -j DROP #Echo Request
#
## Set tun device to act as default connection to the Internet.
## Notice the -o tun+. This indicates that it is looking for outbound packets on tun+
iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE
#
## Accept all outgoing traffic to the Internet via the tun device
iptables -I OUTPUT -o tun+ -j ACCEPT
#
## Allow all outgoing forwarding connections
iptables -I FORWARD -o tun+ -j ACCEPT
#
## Allow only ESTABLISHED incoming packets.
## I guess this is for normal web browsing as you establish a connection first via a HTTP request
iptables -I INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
#
## Allow all incoming forwarded connections through the tun interface
iptables -I FORWARD -i tun+ -j ACCEPT
#
## Defining specific routes
#
iptables -t nat -I PREROUTING -i tun+ -p tcp --dport 23678 -j DNAT --to-destination 192.168.1.140
iptables -t nat -I PREROUTING -i tun+ -p tcp --dport 22875 -j DNAT --to-destination 192.168.1.140
#
#Block Port Scanning, Block all the standard stealth scans, not nmap.
#
# Anyone who tried to portscan us is locked out
iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
#
I really apreciate if someone could please review my post and give me some hints.
Also, not sure about the custom firewall rules and what is good or not.
Thanks!