Bridged VPN, using iptables to fix DHCP issue?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4, 5  Next
Author Message
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Mon Nov 17, 2008 15:06    Post subject: Bridged VPN, using iptables to fix DHCP issue? Reply with quote
I followed the tutorial at

http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_Bridged_VPN_Between_Two_Routers

to create a working VPN bridge between 2 Buffalo routers, which I tested between two different ISPs and find it working. (Of the two client router startup scripts provided, I had to use the first one, not the edit, to get it to work). However, I find that a laptop connecting to the VPN client router by DHCP (Computer D in my drawing) sometimes receives an IP from the DHCP server on the local router, and sometimes from the DHCP on the VPN server router. While accessing my LAN resources on the server side works with either, I find that Internet requests are routed through the VPN tunnel when the DHCP on the VPN server router provides the IP address and not through the tunnel when the DHCP on the client router provides the address.

When I connect a laptop to the client router via DHCP, how can I get it to consistently use the client router's DHCP?

Thanks in advance.



MyOPENVPNSituation.gif
 Description:
 Filesize:  34.09 KB
 Viewed:  23782 Time(s)

MyOPENVPNSituation.gif




Last edited by JN on Thu Nov 20, 2008 14:53; edited 1 time in total
Sponsor
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Mon Nov 17, 2008 15:08    Post subject: Reply with quote
I would like to add that I tried to do this with iptables four different ways, but could not get any of them to do the trick.

I modified the client and server routers by adding each of the following code snippets to my firewall in turn, each time replacing the code snippet added in the prior trial. The first three continue to show my original glitch (doing nothing visible) and the forth prevents a computer from connecting to the client router by DHCP altogether.

Server Router

Try 1
iptables -I INPUT 1 -i tap0 -d 192.168.0.1 -p UDP --dport 67 -j DROP

Try 2
iptables -I INPUT 1 -i br0 -d 192.168.0.1 -p UDP --dport 67 -j DROP

Try 3
iptables -I INPUT 1 -i tap0 -d 192.168.0.1 -p UDP --dport 67 -j DROP
iptables -I OUTPUT 1 -o tap0 -s 192.168.0.1 -p UDP --dport 68 -j DROP

Try 4
iptables -I INPUT 1 -i br0 -d 192.168.0.1 -p UDP --dport 67 -j DROP
iptables -I OUTPUT 1 -o br0 -s 192.168.0.1 -p UDP --dport 68 -j DROP

Client Router

Try 1
iptables -I INPUT 1 -i tap0 -d 192.168.0.254 -p UDP --dport 67 -j DROP

Try 2
iptables -I INPUT 1 -i br0 -d 192.168.0.254 -p UDP --dport 67 -j DROP

Try 3
iptables -I INPUT 1 -i tap0 -d 192.168.0.254 -p UDP --dport 67 -j DROP
iptables -I OUTPUT 1 -o tap0 -s 192.168.0.254 -p UDP --dport 68 -j DROP

Try 4
iptables -I INPUT 1 -i br0 -d 192.168.0.254 -p UDP --dport 67 -j DROP
iptables -I OUTPUT 1 -o br0 -s 192.168.0.254 -p UDP --dport 68 -j DROP


What am I doing wrong? I had the following in the routers from the tutorial beforehand



Server Router

Try 1
iptables -I INPUT 1 -i tap0 -d 192.168.0.1 -p UDP --dport 67 -j DROP

Try 2
iptables -I INPUT 1 -i br0 -d 192.168.0.1 -p UDP --dport 67 -j DROP

Try 3
iptables -I INPUT 1 -i tap0 -d 192.168.0.1 -p UDP --dport 67 -j DROP
iptables -I OUTPUT 1 -o tap0 -s 192.168.0.1 -p UDP --dport 68 -j DROP

Try 4
iptables -I INPUT 1 -i br0 -d 192.168.0.1 -p UDP --dport 67 -j DROP
iptables -I OUTPUT 1 -o br0 -s 192.168.0.1 -p UDP --dport 68 -j DROP

Client Router

Try 1
iptables -I INPUT 1 -i tap0 -d 192.168.0.254 -p UDP --dport 67 -j DROP

Try 2
iptables -I INPUT 1 -i br0 -d 192.168.0.254 -p UDP --dport 67 -j DROP

Try 3
iptables -I INPUT 1 -i tap0 -d 192.168.0.254 -p UDP --dport 67 -j DROP
iptables -I OUTPUT 1 -o tap0 -s 192.168.0.254 -p UDP --dport 68 -j DROP

Try 4
iptables -I INPUT 1 -i br0 -d 192.168.0.254 -p UDP --dport 67 -j DROP
iptables -I OUTPUT 1 -o br0 -s 192.168.0.254 -p UDP --dport 68 -j DROP


What am I doing wrong? I had the following in the routers beforehand



Server router



Startup was

cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tap0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression
# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
duplicate-cn # Allow multiple clients with the same common name
# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
" > openvpn.conf
echo "
-----BEGIN CERTIFICATE-----
[crypto codes removed for privacy]
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
[crypto codes removed for privacy]
-----END RSA PRIVATE KEY-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----
[crypto codes removed for privacy]
-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
[crypto codes removed for privacy]
-----END DH PARAMETERS-----
" > dh1024.pem
sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf
route add -net 192.168.0.0/24 dev br0


# Set some important values:
nvram set wl0.1_ipaddr=192.168.2.1
nvram set wl0.1_netmask=255.255.255.0

# Create bridge br1, move the virtual wireless interface to it,
# and setup the interface's IP address:
brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
ifconfig br1 192.168.2.1 netmask 255.255.255.0
ifconfig br1 up

# Properly setup NAS
killall nas

# Main:
# WEP does not need NAS

# Virtual:
# WEP does not need NAS
# Uncomment next line if open.
# nas -P /tmp/nas.wl0.1lan.pid -l br1 -H 34954


Firewall was

/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT

<<< test commands entered here on each of the four tests >>>

##BRI1
iptables -I INPUT -i br1 -m state --state NEW -j logaccept
iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT

#below keeps the two networks from talking
iptables -I FORWARD -i br0 -o br1 -j logdrop



Client Router



Startup was

cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
./myvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
sleep 5
echo "
client
daemon
dev tap0
proto udp
remote [my_dyndsn_id].dyndns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
" > /tmp/client.conf
echo "
-----BEGIN CERTIFICATE-----
[crypto codes removed for privacy]
-----END CERTIFICATE-----
" > /tmp/ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
[crypto codes removed for privacy]
-----END RSA PRIVATE KEY-----
" > /tmp/client.key
chmod 600 /tmp/client.key
echo "
-----BEGIN CERTIFICATE-----
[crypto codes removed for privacy]
-----END CERTIFICATE-----
" > /tmp/client.crt
./myvpn --config client.conf
route add -net 192.168.0.0/24 dev br0


Firewall was empty before trying to fix the DHCP glitch

<<< test commands entered alone in firewall on each of the four tests >>>
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Thu Nov 20, 2008 14:54    Post subject: Reply with quote
Can someone please advise on how to make the iptables rules work to ensure the nearest DHCP server is used when a computer connects to either router?

Thanks in advance
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Sat Nov 22, 2008 0:31    Post subject: Reply with quote
bump
mixmasta
DD-WRT User


Joined: 01 Sep 2006
Posts: 83

PostPosted: Sat Nov 22, 2008 1:18    Post subject: Reply with quote
I think your mistake might be trying to specify a destination for the dhcp discover packet, because this should be a subnet broadcast... ie your machine looking for a dhcp server doesn't even know what machine the dhcp server is on.

Try something like this:

IPTABLES -A INPUT -p UDP -i tap0 --dport 67 --sport 68 -j DROP
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Sat Nov 22, 2008 1:27    Post subject: Reply with quote
One needs ebtables in order to filter traffic in "inside" bridge-device.

ADD: There is thread about this, use search Smile
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Sat Nov 22, 2008 19:33    Post subject: Reply with quote
olmari wrote:
One needs ebtables in order to filter traffic in "inside" bridge-device.

ADD: There is thread about this, use search Smile
I am seeing a lot of spurious results in the search. Can you please link here to the specific thread you were thinking of? Or more specifically, how might I use ebtables to accomplish my goal here?

Thanks
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Fri Nov 28, 2008 6:54    Post subject: Reply with quote
bump
Sp1derman
DD-WRT User


Joined: 16 Jun 2006
Posts: 134
Location: Germany, BW

PostPosted: Fri Nov 28, 2008 16:26    Post subject: Reply with quote
when I'm back home I will give you the iptables rules.
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Fri Nov 28, 2008 18:34    Post subject: Reply with quote
Sp1derman wrote:
when I'm back home I will give you the iptables rules.


But iptables won't work as in this case VPN and LAN is on same bridge, and the bridge device is the only LAN "device" there effectively, iptables can block traffic between "devices", ebtables can then block/alter traffic specifically inside bridge-device...

ebtables rules ar somewhat similar to iptables, but I'm not totally sure what, but here is older thread about this very same issue http://www.dd-wrt.com/phpBB2/viewtopic.php?t=36273&highlight=ebtables
slgta
DD-WRT User


Joined: 09 Jan 2008
Posts: 92

PostPosted: Sat Nov 29, 2008 3:59    Post subject: ebtables is part of dd-wrt build Reply with quote
According to BS, ebtables is part of all dd-wrt build.
We just need to load it. (it is not loaded by default)
(see http://svn.dd-wrt.com:8000/dd-wrt/ticket/748#comment:2)

Can someone please post the necessary commands to load ebtables, and the ebtables commands to reject DHCP traffic across the OpenVPN bridge?


olmari wrote:

But iptables won't work as in this case VPN and LAN is on same bridge, and the bridge device is the only LAN "device" there effectively, iptables can block traffic between "devices", ebtables can then block/alter traffic specifically inside bridge-device...

ebtables rules ar somewhat similar to iptables, but I'm not totally sure what, but here is older thread about this very same issue http://www.dd-wrt.com/phpBB2/viewtopic.php?t=36273&highlight=ebtables
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Sun Nov 30, 2008 4:39    Post subject: Re: ebtables is part of dd-wrt build Reply with quote
slgta wrote:
Can someone please post the necessary commands to load ebtables, and the ebtables commands to reject DHCP traffic across the OpenVPN bridge?
I was going to ask a similar question after that link to an old half solved confusing thread. Hopefully someone will come in and tell us what to do to solve this problem on current v24 releases.
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Sun Nov 30, 2008 14:48    Post subject: Reply with quote
Well I did link to an thread that has these commands already... And Also brainslayer added the correct module into source so now it is just as easy as start using the ebtables: http://svn.dd-wrt.com:8000/dd-wrt/changeset/11026
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Sun Nov 30, 2008 21:45    Post subject: Reply with quote
olmari wrote:
Well I did link to an thread that has these commands already... And Also brainslayer added the correct module into source so now it is just as easy as start using the ebtables: http://svn.dd-wrt.com:8000/dd-wrt/changeset/11026
Are you saying, that with v24, all slgta and I need to do is to add the following code into our firewall script in both the VPN server and VPN client routers, and that there is no longer anything else to do to enable ebtables? (I pulled this code out of the thread linked to here and changed the interface to tap0.)

ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Sun Nov 30, 2008 21:48    Post subject: Reply with quote
You do need to run these first:

Code:
insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o


Then add your rules.

Basically that should be it... Remember that as of the moment I have no way of confirming this ebtables command are totally correct, but nevertheless now it is only matter of fine-tuning it :wink:

ADD: You do need to have very latest unofficial build from BS or EKO, available here: http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Fothers%2Feko%2FV24_TNG%2Fsvn11028/
Goto page 1, 2, 3, 4, 5  Next Display posts from previous:    Page 1 of 5
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum