Solution: Blocking DHCP over bridged OpenVPN tunnel!

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
Aou
DD-WRT Novice


Joined: 03 Aug 2010
Posts: 15
PostPosted: Wed Aug 25, 2010 2:08    Post subject: Solution: Blocking DHCP over bridged OpenVPN tunnel! Reply with quote
I'll try to keep this brief, but here it goes...

Problem:
Part 1:
Creating a bridged VPN tunnel using OpenVPN will allow DHCP traffic to pass to foreign sites. This can sometimes cause clients to receive DHCP packets coming from foreign sites, thus pointing them through the wrong internet gateway. This typically will cause rapid saturation of the VPN link, and all hell breaks loose. Great.
Part 2:
A few searches out there will tell you to use iptables firewall rules to block the traffic on the tunnel. No-can-do! IPTables can only use rules based on bridges, not interfaces (so it seems). "ebtables" works great for this, however. Searches will point you to people adding it into the startup script, and creating rules there for it. Bad news: ebtables is automatically unloaded sometime after ALL .startup scripts are run. Even if you make a new .startup script and put a SLEEP in it, the system will wait for the sleep, and then unload ebtables afterwards. Trust me on this one, in the latest versions of DD-WRT, it's just not possible to load ebtables on startup and keep it going. Sucks for us.

Solution:
Use a carefully crafted CRON job to load ebtables, and create the firewall rules for us!!

By carefully crafted, I mean a long-ass cron job that runs several commands after a single wait period. Here goes:
Code:
@reboot sleep 30;/sbin/insmod /lib/modules/2.4.37/ebtables.o;/sbin/insmod /lib/modules/2.4.37/ebt_ip.o;/sbin/insmod /lib/modules/2.4.37/ebtable_filter.o;ebtables -F;ebtables -I FORWARD -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;ebtables -I FORWARD -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

Please note a few things here:
- Some of these firewall rules might be unnecessary. This currently works for me, but you may want to tweak to suit your needs.
- You only need this on one of the two routers bridged. I put this on the host router, in my case.
- THIS SHOULD ALL BE ONE LINE WITH NO BREAKS. That's what the semicolons are for.
- Your version numbers might vary from mine. You should telnet into your box and verify the paths to the binaries and such.
- If you have an older version of dd-wrt, you may need to build/write the ebt_ip.o file. There's instructions on the forums here somewhere.
- The "ebtables -F" line will flush out any firewall rules that are already loaded in ebtables. your iptables rules *should* remain unaffected.
- I take no responsibility if you break your router with this info. If you're not comfortable writing cron jobs or giving your router specific linux commands, you should probably move on.

So that's my solution, take it or leave it. Good luck, you die-hard VPN-bridge users. I know how frustrating, yet needed the bridged OpenVPN model can be in our rare cases.
Back to top View user's profile Send private message
Sponsor
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum