Author
Message
JFG DD-WRT Novice Joined: 24 Feb 2018 Posts: 7
Posted: Sun Feb 25, 2018 3:33 Post subject: VPN kill switch bypass
I've flashed my Linksys EA6200 with the Expressvpn firmware . It's basically DD-WRT v3.0-r31277 with less options in the UI but I can still SSH to it. It's also pre-configured with a network lock (aka kill switch). I use it for only one purpose, front my Nvidia Shield.
The problem :
With the netkwork lock I can't acces my HDHomeRun tv tuner/stream which is plugged in another subnet on my primary router. From what I understand a recipe like this https://www.dd-wrt.com/wiki/index.php/Linking_Subnets_with_Static_Routes will not work because of the netkwork lock.
Is there some kind voodoo iptables trick that I could use to bypass the kill switch to access one or more specific IPs in another subnet ?
Thanks
Back to top
Sponsor
JFG DD-WRT Novice Joined: 24 Feb 2018 Posts: 7
Posted: Sun Feb 25, 2018 6:21 Post subject:
Read this post https://www.dd-wrt.com/phpBB2/viewtopic.php?t=277299 . It's close to what I want.
But I don't know how to apply it and if it will work my iptables config.
Here's a dump of my FORWARD chain:
Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
17M 18G vpn_forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
17M 18G ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- vlan2 * 0.0.0.0/0 224.0.0.0/4
0 0 TRIGGER 0 -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
From /tmp/.ipt :
Code:
-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i vlan2 -p udp --destination 224.0.0.0/4 -j ACCEPT
-A FORWARD -i vlan2 -o br0 -j TRIGGER --trigger-type in
-A FORWARD -i br0 -j trigger_out
-A FORWARD -i br0 -m state --state NEW -j ACCEPT
-I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Back to top
JFG DD-WRT Novice Joined: 24 Feb 2018 Posts: 7
Posted: Sun Feb 25, 2018 19:11 Post subject:
The rc_firewall is empty . iptables -vnL vpn_forward :
Code:
Chain vpn_forward (1 references)
pkts bytes target prot opt in out source destination
10643 3722K vpn_dns 0 -- * * 0.0.0.0/0 0.0.0.0/0
10351 3702K vpn_ms 0 -- * * 0.0.0.0/0 0.0.0.0/0
Here's the .ipt file :
Code:
*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-N wan_prerouting
-A wan_prerouting -i ! vlan2 -d 10.0.1.54 -j MARK --set-mark 0x80000000/0x80000000
-A wan_prerouting -j CONNMARK --save-mark
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-N wan_prerouting
-A wan_prerouting -p tcp -d 10.0.1.54 --dport 8080 -j DNAT --to-destination 10.0.2.1:80
-A wan_prerouting -p tcp -d 10.0.1.54 --dport 22 -j DNAT --to-destination 10.0.2.1:22
-A wan_prerouting -p icmp -d 10.0.1.54 -j DNAT --to-destination 10.0.2.1
-A wan_prerouting -d 10.0.1.54 -j TRIGGER --trigger-type dnat
-N wan_postrouting
-A wan_postrouting -s 10.0.2.1/24 -o vlan2 -j SNAT --to-source 10.0.1.54
-A wan_postrouting -m mark --mark 0x80000000/0x80000000 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:trigger_out - [0:0]
:lan2wan - [0:0]
:grp_1 - [0:0]
:advgrp_1 - [0:0]
:grp_2 - [0:0]
:advgrp_2 - [0:0]
:grp_3 - [0:0]
:advgrp_3 - [0:0]
:grp_4 - [0:0]
:advgrp_4 - [0:0]
:grp_5 - [0:0]
:advgrp_5 - [0:0]
:grp_6 - [0:0]
:advgrp_6 - [0:0]
:grp_7 - [0:0]
:advgrp_7 - [0:0]
:grp_8 - [0:0]
:advgrp_8 - [0:0]
:grp_9 - [0:0]
:advgrp_9 - [0:0]
:grp_10 - [0:0]
:advgrp_10 - [0:0]
-A INPUT -p tcp -i vlan2 --dport 23 -j DROP
-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i vlan2 -p udp --destination 224.0.0.0/4 -j ACCEPT
-A FORWARD -i vlan2 -o br0 -j TRIGGER --trigger-type in
-A FORWARD -i br0 -j trigger_out
-A FORWARD -i br0 -m state --state NEW -j ACCEPT
-I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A logreject -p tcp -j REJECT --reject-with tcp-reset
COMMIT
Back to top
JFG DD-WRT Novice Joined: 24 Feb 2018 Posts: 7
Posted: Sun Feb 25, 2018 22:55 Post subject:
Thanks for the help eibgrad !
So I did add your sugesstion in the rc_firewall but no luck ...
Code:
nvram get rc_firewall
iptables -I FORWARD -d 10.0.1.3 -j ACCEPT
My VPN router is in the 10.0.2.x subnet and my primary router is in 10.0.1.x. Of course when I turn off the VPN I can ping 10.0.1.3 from 10.0.2.x .
Adding the rule in the rc_firewall is a good idea or it must be added in a specific order/location ?
Code:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
vpn_forward 0 -- anywhere anywhere
ACCEPT 0 -- anywhere 10.0.1.3
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
lan2wan 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.0/4
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
[/code]
Back to top
JFG DD-WRT Novice Joined: 24 Feb 2018 Posts: 7
Posted: Sun Feb 25, 2018 23:48 Post subject:
nvram show | grep vpn_forward and grep -r vpn_forward /jffs/* are both empty .
Code:
Chain INPUT (policy ACCEPT 39400 packets, 17M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
Chain FORWARD (policy ACCEPT 390 packets, 27982 bytes)
pkts bytes target prot opt in out source destination
54955 19M vpn_forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
414 158K ACCEPT 0 -- * * 0.0.0.0/0 10.0.1.3
52643 19M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2850 390K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
452 151K ACCEPT udp -- vlan2 * 0.0.0.0/0 224.0.0.0/4
176 16123 TRIGGER 0 -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
2222 223K trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
2008 211K ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain OUTPUT (policy ACCEPT 34421 packets, 11M bytes)
pkts bytes target prot opt in out source destination
Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain lan2wan (1 references)
pkts bytes target prot opt in out source destination
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain trigger_out (1 references)
pkts bytes target prot opt in out source destination
Chain vpn_dns (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 mark match !0x0/0x80a0
102 6834 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 mark match !0x0/0x80a0
Chain vpn_forward (1 references)
pkts bytes target prot opt in out source destination
52466 18M vpn_dns 0 -- * * 0.0.0.0/0 0.0.0.0/0
52362 18M vpn_ms 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn_ms (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 23.246.0.0/18 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 37.77.184.0/21 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 45.57.0.0/17 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 64.120.128.0/17 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 66.197.128.0/17 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 69.53.224.0/19 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 108.175.32.0/20 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 185.2.220.0/22 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 185.9.188.0/22 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 192.173.64.0/18 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 198.38.96.0/19 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 198.45.48.0/20 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 208.75.76.0/22 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 76.9.223.0/24 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 216.234.192.0/24 mark match 0x8000/0x8000
I did search for scripts :
Code:
find . -name "*.sh"
./etc/cidrroute.sh
./etc/config/pptpd_client.sh
./etc/config/proxywatchdog.sh
./etc/config/schedulerb.sh
./etc/config/wdswatchdog.sh
./etc/hotplug2-createmtd.sh
./etc/hso/connect.sh
./etc/hso/hso_connect.sh
./etc/lease_update.sh
./lib/functions.sh
[/code]
Back to top
JFG DD-WRT Novice Joined: 24 Feb 2018 Posts: 7
Posted: Mon Feb 26, 2018 22:05 Post subject:
Code:
usr/sbin/openvpn --config /tmp/206-72-205-107-38069-udp.ovpn
Not much info in 206-72-205-107-38069-udp.ovpn but this :
Code:
down "./app --script"
down "./app --script"
Code:
root@DD-WRT:/opt/xvpnd# ./app
Usage:
--enable-vpn configure ip routes ans iptables for vpn
--enable-wan set iproutes and iproutes to allow access wan
--getgid get group id of the process
--setgid set group id and execute shell
Code:
root@DD-WRT:/opt/xvpnd# ./app --script
This script should be used only as openvpn up/down script
And if I call ./app --enable-vpn , it does set ll the ip rule and iptables . There's an /opt/xvpnd/app.dat file (binary), I guess all the iptables are packaged in it ...
Back to top
JFG DD-WRT Novice Joined: 24 Feb 2018 Posts: 7
Posted: Wed Feb 28, 2018 0:22 Post subject:
No luck with your last suggestion ...
Thanks for the the help, I gave up and decided to put my VPN router as my primary router with everything in the same subnet.
Back to top