Aou DD-WRT Novice
Joined: 03 Aug 2010 Posts: 15
|
Posted: Wed Aug 25, 2010 2:08 Post subject: Solution: Blocking DHCP over bridged OpenVPN tunnel! |
|
I'll try to keep this brief, but here it goes...
Problem:
Part 1:
Creating a bridged VPN tunnel using OpenVPN will allow DHCP traffic to pass to foreign sites. This can sometimes cause clients to receive DHCP packets coming from foreign sites, thus pointing them through the wrong internet gateway. This typically will cause rapid saturation of the VPN link, and all hell breaks loose. Great.
Part 2:
A few searches out there will tell you to use iptables firewall rules to block the traffic on the tunnel. No-can-do! IPTables can only use rules based on bridges, not interfaces (so it seems). "ebtables" works great for this, however. Searches will point you to people adding it into the startup script, and creating rules there for it. Bad news: ebtables is automatically unloaded sometime after ALL .startup scripts are run. Even if you make a new .startup script and put a SLEEP in it, the system will wait for the sleep, and then unload ebtables afterwards. Trust me on this one, in the latest versions of DD-WRT, it's just not possible to load ebtables on startup and keep it going. Sucks for us.
Solution:
Use a carefully crafted CRON job to load ebtables, and create the firewall rules for us!!
By carefully crafted, I mean a long-ass cron job that runs several commands after a single wait period. Here goes:
Code: | @reboot sleep 30;/sbin/insmod /lib/modules/2.4.37/ebtables.o;/sbin/insmod /lib/modules/2.4.37/ebt_ip.o;/sbin/insmod /lib/modules/2.4.37/ebtable_filter.o;ebtables -F;ebtables -I FORWARD -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;ebtables -I FORWARD -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP;ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP |
Please note a few things here:
- Some of these firewall rules might be unnecessary. This currently works for me, but you may want to tweak to suit your needs.
- You only need this on one of the two routers bridged. I put this on the host router, in my case.
- THIS SHOULD ALL BE ONE LINE WITH NO BREAKS. That's what the semicolons are for.
- Your version numbers might vary from mine. You should telnet into your box and verify the paths to the binaries and such.
- If you have an older version of dd-wrt, you may need to build/write the ebt_ip.o file. There's instructions on the forums here somewhere.
- The "ebtables -F" line will flush out any firewall rules that are already loaded in ebtables. your iptables rules *should* remain unaffected.
- I take no responsibility if you break your router with this info. If you're not comfortable writing cron jobs or giving your router specific linux commands, you should probably move on.
So that's my solution, take it or leave it. Good luck, you die-hard VPN-bridge users. I know how frustrating, yet needed the bridged OpenVPN model can be in our rare cases. |
|