*EZ GUIDE* OpenVPN PIA & Access Restrictions WAN + Cron

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Mon Jan 12, 2015 21:43    Post subject: *EZ GUIDE* OpenVPN PIA & Access Restrictions WAN + Cron Reply with quote
I have setup PIA on my Netgear R7000 using Kong's 25090M and working great, all my outgoing traffic is going through the VPN.

When I try to enable "Access Restrictions" so the kids cannot use WAN late at night, this has no effect whatsoever. However if I disable OpenVPN connection then "Access Restrictions" works as expected.

I'm guessing there's a conflict with DDWRT and that OpenVPN and "Access Restrictions" don't play well.

Has anyone got a workaround, or the same fault on their router using DDWRT? Very Happy


Last edited by mikimik on Tue Jan 13, 2015 13:59; edited 2 times in total
Sponsor
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Tue Jan 13, 2015 12:18    Post subject: Reply with quote
UPDATED GUIDE
Big thanks and all credits to eibgrad for simplifying the process of getting OpenVPN and DDWRT's Access Restrictions working together.

Have you got an OpenVPN on your DDWRT router and want to be able to restrict WAN access at certain times/days to make sure your kids aren't staying up late using the internet? If you have tried to get DDWRT's Access Restrictions working in the GUI you will know that it does not work when you have an OpenVPN enabled on the router. eibgrad script below will fix this issue.

Disclaimer: This setup was tested with a Netgear R7000 with Kong 25090M Build but should work in a number of similar scenarios, however make sure you backup, backup, and backup everything before following my guide.

    1. Log into your DDWRT router using the GUI.
    2. Go to 'Administration', then click on the 'Commands' tab.


    3. Paste the code below into the text field:

Code:
#!/bin/sh
SCRIPT="/tmp/lan2wan.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
while true; do
    if [ "$(iptables -vnL FORWARD | awk '/lan2wan/ {print FNR}')" != "3" ]; then
        iptables -D FORWARD -j lan2wan
        iptables -I FORWARD -j lan2wan
    fi
    sleep 300
done
EOF
chmod +x $SCRIPT
$SCRIPT &

    4. Select the 'Save Startup' option.


    5. Go to 'Access Restrictions' in DDWRT's GUI.
    6. Set your preferences for when you want WAN access and no-access by assigning your MAC addresses in the 'Edit List of clients' tab.


    7. Save, apply and reboot router.

The script should work if not you can always have a look at the original guide below. Remember that using eibgrad excellent script this updates every 300 seconds or 5 minutes and therefore might be a slight delay between your start and end time in 'Access Restrictions' if the router has just been rebooted for example.

ORIGINAL GUIDE
I have managed to get the issue fixed. Big thanks to raph321 & bjornbai for their posts here which got me started on my EZ Guide below: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=896286

Use Case: You have a VPN at the Router Level, such as PrivateInternetAccess (PIA) so that your entire household is protected, but you also want to limit Wan (internet) access to certain times so your kids aren't using the Internet late at night. The problem is OpenVPN and DDWRT's 'Access Restrictions' don't play well together, but my step by step guide below will show you how to manually do this.

Disclaimer: This setup was tested with a Netgear R7000 with Kong 25090M Build but should work in a number of similar scenarios, however make sure you backup, backup, and backup everything before following my guide.

If you want to know how to install PIA onto your R7000 you can follow the excellent guide here: http://www.instructables.com/id/Configure-VPN-Settings-on-a-DD-WRT-Router-for-Priv/?ALLSTEPS

As I am a complete noob, I am writing my guide for other noobs.

-***EZ GUIDE START***-

1. Access Restriction:
Completely ignore the Access Restriction option in DDWRT GUI as it will simply not work with OpenVPN, so disable it via the GUI.


2. WinSCP:
Download WinSCP from here: http://winscp.net/eng/index.php

3. Notepad++: Download Notepad++ from here: http://notepad-plus-plus.org/

4. Wan On & Off Scripts: In Notepad++ you are going to create two scripts. The first script will switch off (or disable) wan access for a specific machine on your network by using its mac address and the second script will switch on (or enable) wan access.

Copy and paste below into notepad++ and save it as "off.sh" whilst changing the xx:xx:xx:xx:xx:xx with the mac address of the machine you want to disable wan access on your network:

Code:
#!/bin/sh
iptables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP



Copy and paste below into notepad++ and save it as "on.sh" use same mac address as previously to enable wan access:

Code:
#!/bin/sh
iptables -D FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP



5. JFFS: The scripts need to be saved onto the router and the best way to ensure these scripts are not deleted every time the router reboots is to enable the JFFS option. To do this, use the DDWRT gui and go to 'Administration' and scroll down to 'JFFS2 Support'. Click on 'Enable' JFFS2, scroll down click 'save', and then click 'apply' wait a few minutes and reboot the router. Once rebooted go back there and now select 'Clean JFFS2' and scroll down and click 'apply' (do not save). Wait a few minutes and reboot the router once again. You now have a JFFS partition where you can upload your two scripts, to do this you will need WinSCP.


6. WinSCP Access: Start WinSCP, in 'File Protocol' select 'SCP', in 'Host Name' enter the IP address of your router (usually something like 192.168.0.1 or similar), in 'Port Number' make sure it is '22', user name enter 'root' (make sure you use root as the user name and not the user name of your router). In 'Password' enter the router's password. Select login and you should now be in your router.


If you get an error message make sure you have enabled SCP access on the Router. To do this use the DDWRT gui and go to 'Services' scroll down to 'Secure Shell' and enable 'SSHd', disable 'SSH TCP Forwarding', enable 'Password Login', make sure 'Port' is '22' and leave 'Authorized Keys' blank.


Then go to 'Administration' and scroll down to 'Remote Access' and enable 'SSH Management', make sure 'SSH Remote Port' is set to '22' and enable 'Allow Any Remote IP'. You should now be able to connect to your router with WinSCP.


7. WinSCP Uploading Files: In WinSCP you should see a 'jffs' folder, now create a new folder inside the jffs directory and name it 'wanaccess'. Make sure that the directory is 'rwxr-xr-x' to do this right click on 'wanaccess' select 'properties' and enter '0755' in 'Octal'. Now upload the two scripts you created earlier (on.sh & off.sh) to the 'wanaccess' directory, again make sure both scripts are 'rwxr-xr-x'.


8. Manually Testing Scripts: Open the DDWRT GUI and got to 'Administration' and then 'Commands'. Now paste the following into the text field and click the 'Run Commands' option:
Code:
sh /jffs/wanaccess/off.sh



Whatever mac address item you specified in your script should now no longer be able to access WAN but still access the internal LAN (shared drives etc..). Now simply test that restoring wan access works by using the following code:
Code:
sh /jffs/wanaccess/on.sh


9. Cron Jobs: At this point everything should be fine, you are now able to enable or disable wan access to specific mac addresses on your network whilst still keeping your OpenVPN running. What you want to be able to do now is set a timer to run the script at specific times/days so that you can manage internet access for your kids for example. One way to achieve this is with a cron job. Go to DDWRT GUI and select 'Administration' and then scroll down to 'Cron'. Enter the following test line:
Code:
* * * * * root sh /jffs/wanaccess/off.sh

Click 'Save', and then 'Apply'. Reboot router to be sure. The above should in theory kill wan access by trying to run the 'off.sh' script every minute. If this works you can customise your cron job to suit your needs, have it enable the script and disable the script at set times. For example you want your kids to be able to have WAN access from 17:30pm to 20:45pm everyday for their homework, the code below is what you would use:

Code:
30 17 * * * root sh /jffs/wanaccess/on.sh
45 20 * * * root sh /jffs/wanaccess/off.sh



-***EZ GUIDE END***-

Hope this is useful to someone, a lot of what is listed above users will already know, but noobs like me have to find out the hard way Very Happy Also might be a good idea to disable WinSCP access when finished.


Last edited by mikimik on Tue Jan 13, 2015 20:12; edited 7 times in total
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Tue Jan 13, 2015 14:50    Post subject: Reply with quote
I agree, getting Access Restrictions to work with OpenVPN would be the ideal situation, but beyond my knowledge. The above workaround is the only way I have managed so far coming from a non-linux background.
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Tue Jan 13, 2015 15:28    Post subject: Reply with quote
I tried adding to the firewall
Code:
iptables -D FORWARD -j lan2wan
iptables -I FORWARD -j lan2wan

But unfortunately has no effect on getting Access Restrictions working with OpenVPN, the above workaround works, but has a limitation when the router is rebooted wan access is re-enabled.
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Tue Jan 13, 2015 16:17    Post subject: Reply with quote
Looking at my forward table:

Quote:
root@DD-WRT:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2628 577K ACCEPT 0 -- * tun1 0.0.0.0/0 0.0.0.0/0
2893 1888K ACCEPT 0 -- tun1 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP 0 -- br0 vlan2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- tun1 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 tun1 0.0.0.0/0 0.0.0.0/0
58292 55M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 47 -- * ppp0 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * ppp0 192.168.0.0/24 0.0.0.0/0 tcp dpt:1723
44 3824 lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
44 3824 ACCEPT 0 -- br0 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER 0 -- ppp0 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0


I'm not sure how to manipulate lan2wan, any ideas?
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Tue Jan 13, 2015 17:22    Post subject: Reply with quote
Interesting, so I tested your suggestion:

Telnet into router then
Code:
iptables -vnL FORWARD

lan2wan midway, so then:
Code:
iptables -D FORWARD -j lan2wan
iptables -I FORWARD -j lan2wan

then:
Code:
iptables -vnL FORWARD

now lan2wan now at the top, in theory Access Restrictions should work as OpenVPN is running.

Quote:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
51 25960 lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
12116 877K ACCEPT 0 -- * tun1 0.0.0.0/0 0.0.0.0/0
17882 24M ACCEPT 0 -- tun1 * 0.0.0.0/0 0.0.0.0/0
13048 11M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 47 -- * ppp0 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * ppp0 192.168.0.0/24 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
78 4464 ACCEPT 0 -- br0 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER 0 -- ppp0 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0


I set an 'off' time in 'Access Restrictions' and an 'on' time for a few minutes later, and yes it works, wan is disabled at the 'off' time, but the problem is the 'on' time never reactivates wan access. I checked wan2lan with iptables -vnL FORWARD and it's still listed at the top so the 'on' time should have worked.

As a side note keeping wan2lan at the top of the order of priority is a little tricky as almost any interaction with the DDWRT GUI tends to revert it back at a lower level of priority down the list.


Last edited by mikimik on Tue Jan 13, 2015 17:36; edited 2 times in total
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Tue Jan 13, 2015 17:32    Post subject: Reply with quote
More info, adding
iptables -D FORWARD -j lan2wan
iptables -I FORWARD -j lan2wan
to the firewall via the gui and then rebooting and looking at the forward table once the OpenVPN has kicked in, it looks like this:
Quote:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1466 123K ACCEPT 0 -- * tun1 0.0.0.0/0 0.0.0.0/0
2223 2990K ACCEPT 0 -- tun1 * 0.0.0.0/0 0.0.0.0/0
7752 6481K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
7674 6477K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 47 -- * ppp0 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * ppp0 192.168.0.0/24 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
78 4464 ACCEPT 0 -- br0 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER 0 -- ppp0 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0

lan2wan not quite top priority, is tun1 the VPN?
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Tue Jan 13, 2015 17:39    Post subject: Reply with quote
In answer to my own question, it looks like tun1 refers to the vpn. When I disable OpenVPN via the gui:

Quote:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10228 9619K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
10189 9605K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 47 -- * ppp0 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * ppp0 192.168.0.0/24 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
39 13215 ACCEPT 0 -- br0 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER 0 -- ppp0 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Tue Jan 13, 2015 17:59    Post subject: Reply with quote
Thanks, this is great. I placed the script into DDWRT via the GUI and saved it as a startup. Rebooted router and lan2wan is below the VPN:

Quote:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1240 249K ACCEPT 0 -- * tun1 0.0.0.0/0 0.0.0.0/0
1048 488K ACCEPT 0 -- tun1 * 0.0.0.0/0 0.0.0.0/0
18396 18M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 47 -- * ppp0 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * ppp0 192.168.0.0/24 0.0.0.0/0 tcp dpt:1723
16 1060 lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
16 1060 ACCEPT 0 -- br0 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER 0 -- ppp0 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0


Waited a 5 minutes, and your script has worked as I now see lan2wan is above the VPN:

Quote:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1810 1699K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
1357 278K ACCEPT 0 -- * tun1 0.0.0.0/0 0.0.0.0/0
1176 554K ACCEPT 0 -- tun1 * 0.0.0.0/0 0.0.0.0/0
26010 25M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 47 -- * ppp0 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * ppp0 192.168.0.0/24 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
16 1060 ACCEPT 0 -- br0 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER 0 -- ppp0 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0

Will check Access Restrictions.
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Tue Jan 13, 2015 18:52    Post subject: Reply with quote
Thanks eibgrad, checked your script with 'Access Restrictions' and works. Wan access terminates the assigned mac address successfully and re-enables it at the set time.

It's now possible to have OpenVPN and Access Restrictions work at the same time.
Xentrk
DD-WRT Novice


Joined: 03 Jun 2016
Posts: 45

PostPosted: Fri Oct 07, 2016 0:51    Post subject: Reply with quote
Thank you Mikimik and eibgrad,

Your script appears to have fixed my Access Restriction issues as documented here even though I am not running OpenVPN client:

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1049705#1049705

I will continue to monitor over the weekend.
mikimik
DD-WRT Novice


Joined: 12 Jan 2015
Posts: 13

PostPosted: Mon Oct 10, 2016 14:49    Post subject: Reply with quote
What are you running?
Xentrk
DD-WRT Novice


Joined: 03 Jun 2016
Posts: 45

PostPosted: Tue Oct 11, 2016 11:34    Post subject: Reply with quote
Router: D-Link 880L

Build: DD-WRT v3.0-r29837 std (06/06/16)


This is the script that fixed my access restriction issues.

Code:
#!/bin/sh
SCRIPT="/tmp/lan2wan.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
while true; do
if [ "$(iptables -vnL FORWARD | awk '/lan2wan/ {print FNR}')" != "3" ]; then
iptables -D FORWARD -j lan2wan
iptables -I FORWARD -j lan2wan
fi
sleep 300
done
EOF
chmod +x $SCRIPT
$SCRIPT &

I even tested that WAN access was denied per the rule even if I was on the WEB prior to the time the rule is supposed to take effect. This was an issue others reported. I monitored over the weekend and all of the rules work as they should.
drnorton
DD-WRT User


Joined: 08 Dec 2009
Posts: 137

PostPosted: Tue Sep 05, 2017 10:10    Post subject: Reply with quote
Hello...

I have the same trouble with my TP-Link1043nd V1.
I know is in the wrong place here. Is atheros based hardware
, but the same problems.

Is there a script for tp-link too ?
Wish to have access restriction and Openvpn work together.

Thanks...
Xentrk
DD-WRT Novice


Joined: 03 Jun 2016
Posts: 45

PostPosted: Tue Sep 05, 2017 14:33    Post subject: Reply with quote
drnorton wrote:
Hello...

I have the same trouble with my TP-Link1043nd V1.
I know is in the wrong place here. Is atheros based hardware
, but the same problems.

Is there a script for tp-link too ?
Wish to have access restriction and Openvpn work together.

Thanks...

I ended up having to write a script with iptables commands to drop traffic from certain devices and scheduled it via cron. I will will post it here tomorrow morning.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum