DD-WRT :: View topic - VPN kill switch bypass

VPN kill switch bypass

DD-WRT Forum Index -> Advanced Networking

View previous topic :: View next topic

Author

Message

JFG
DD-WRT Novice

Joined: 24 Feb 2018
Posts: 7

Posted: Sun Feb 25, 2018 3:33 Post subject: VPN kill switch bypass

I've flashed my Linksys EA6200 with the Expressvpn firmware . It's basically DD-WRT v3.0-r31277 with less options in the UI but I can still SSH to it. It's also pre-configured with a network lock (aka kill switch). I use it for only one purpose, front my Nvidia Shield.

The problem :

With the netkwork lock I can't acces my HDHomeRun tv tuner/stream which is plugged in another subnet on my primary router. From what I understand a recipe like this https://www.dd-wrt.com/wiki/index.php/Linking_Subnets_with_Static_Routes will not work because of the netkwork lock.

Is there some kind voodoo iptables trick that I could use to bypass the kill switch to access one or more specific IPs in another subnet ?

Thanks

Sponsor

JFG
DD-WRT Novice

Joined: 24 Feb 2018
Posts: 7

Posted: Sun Feb 25, 2018 6:21 Post subject:

Read this post https://www.dd-wrt.com/phpBB2/viewtopic.php?t=277299 . It's close to what I want.

But I don't know how to apply it and if it will work my iptables config.

Here's a dump of my FORWARD chain:

Code:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
17M 18G vpn_forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
17M 18G ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- vlan2 * 0.0.0.0/0 224.0.0.0/4
0 0 TRIGGER 0 -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW

From /tmp/.ipt :

Code:

-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i vlan2 -p udp --destination 224.0.0.0/4 -j ACCEPT
-A FORWARD -i vlan2 -o br0 -j TRIGGER --trigger-type in
-A FORWARD -i br0 -j trigger_out
-A FORWARD -i br0 -m state --state NEW -j ACCEPT
-I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

JFG
DD-WRT Novice

Joined: 24 Feb 2018
Posts: 7

Posted: Sun Feb 25, 2018 19:11 Post subject:

The rc_firewall is empty . iptables -vnL vpn_forward :

Code:

Chain vpn_forward (1 references)
pkts bytes target prot opt in out source destination
10643 3722K vpn_dns 0 -- * * 0.0.0.0/0 0.0.0.0/0
10351 3702K vpn_ms 0 -- * * 0.0.0.0/0 0.0.0.0/0

Here's the .ipt file :

Code:

*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-N wan_prerouting
-A wan_prerouting -i ! vlan2 -d 10.0.1.54 -j MARK --set-mark 0x80000000/0x80000000
-A wan_prerouting -j CONNMARK --save-mark
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-N wan_prerouting
-A wan_prerouting -p tcp -d 10.0.1.54 --dport 8080 -j DNAT --to-destination 10.0.2.1:80
-A wan_prerouting -p tcp -d 10.0.1.54 --dport 22 -j DNAT --to-destination 10.0.2.1:22
-A wan_prerouting -p icmp -d 10.0.1.54 -j DNAT --to-destination 10.0.2.1
-A wan_prerouting -d 10.0.1.54 -j TRIGGER --trigger-type dnat
-N wan_postrouting
-A wan_postrouting -s 10.0.2.1/24 -o vlan2 -j SNAT --to-source 10.0.1.54
-A wan_postrouting -m mark --mark 0x80000000/0x80000000 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:trigger_out - [0:0]
:lan2wan - [0:0]
:grp_1 - [0:0]
:advgrp_1 - [0:0]
:grp_2 - [0:0]
:advgrp_2 - [0:0]
:grp_3 - [0:0]
:advgrp_3 - [0:0]
:grp_4 - [0:0]
:advgrp_4 - [0:0]
:grp_5 - [0:0]
:advgrp_5 - [0:0]
:grp_6 - [0:0]
:advgrp_6 - [0:0]
:grp_7 - [0:0]
:advgrp_7 - [0:0]
:grp_8 - [0:0]
:advgrp_8 - [0:0]
:grp_9 - [0:0]
:advgrp_9 - [0:0]
:grp_10 - [0:0]
:advgrp_10 - [0:0]
-A INPUT -p tcp -i vlan2 --dport 23 -j DROP
-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i vlan2 -p udp --destination 224.0.0.0/4 -j ACCEPT
-A FORWARD -i vlan2 -o br0 -j TRIGGER --trigger-type in
-A FORWARD -i br0 -j trigger_out
-A FORWARD -i br0 -m state --state NEW -j ACCEPT
-I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A logreject -p tcp -j REJECT --reject-with tcp-reset
COMMIT

JFG
DD-WRT Novice

Joined: 24 Feb 2018
Posts: 7

Posted: Sun Feb 25, 2018 22:55 Post subject:

Thanks for the help eibgrad !

So I did add your sugesstion in the rc_firewall but no luck ...

Code:

nvram get rc_firewall
iptables -I FORWARD -d 10.0.1.3 -j ACCEPT

My VPN router is in the 10.0.2.x subnet and my primary router is in 10.0.1.x. Of course when I turn off the VPN I can ping 10.0.1.3 from 10.0.2.x .

Adding the rule in the rc_firewall is a good idea or it must be added in a specific order/location ?

Code:

Chain FORWARD (policy ACCEPT)
target prot opt source destination
vpn_forward 0 -- anywhere anywhere
ACCEPT 0 -- anywhere 10.0.1.3
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
lan2wan 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.0/4
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW

[/code]

JFG
DD-WRT Novice

Joined: 24 Feb 2018
Posts: 7

Posted: Sun Feb 25, 2018 23:48 Post subject:

nvram show | grep vpn_forward and grep -r vpn_forward /jffs/* are both empty .

Code:

Chain INPUT (policy ACCEPT 39400 packets, 17M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23

Chain FORWARD (policy ACCEPT 390 packets, 27982 bytes)
pkts bytes target prot opt in out source destination
54955 19M vpn_forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
414 158K ACCEPT 0 -- * * 0.0.0.0/0 10.0.1.3
52643 19M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2850 390K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
452 151K ACCEPT udp -- vlan2 * 0.0.0.0/0 224.0.0.0/4
176 16123 TRIGGER 0 -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
2222 223K trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
2008 211K ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW

Chain OUTPUT (policy ACCEPT 34421 packets, 11M bytes)
pkts bytes target prot opt in out source destination

Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_1 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_2 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination

Chain lan2wan (1 references)
pkts bytes target prot opt in out source destination

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset

Chain trigger_out (1 references)
pkts bytes target prot opt in out source destination

Chain vpn_dns (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 mark match !0x0/0x80a0
102 6834 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 mark match !0x0/0x80a0

Chain vpn_forward (1 references)
pkts bytes target prot opt in out source destination
52466 18M vpn_dns 0 -- * * 0.0.0.0/0 0.0.0.0/0
52362 18M vpn_ms 0 -- * * 0.0.0.0/0 0.0.0.0/0

Chain vpn_ms (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 23.246.0.0/18 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 37.77.184.0/21 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 45.57.0.0/17 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 64.120.128.0/17 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 66.197.128.0/17 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 69.53.224.0/19 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 108.175.32.0/20 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 185.2.220.0/22 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 185.9.188.0/22 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 192.173.64.0/18 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 198.38.96.0/19 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 198.45.48.0/20 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 208.75.76.0/22 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 76.9.223.0/24 mark match 0x8000/0x8000
0 0 DROP 0 -- * * 0.0.0.0/0 216.234.192.0/24 mark match 0x8000/0x8000

I did search for scripts :

Code:

find . -name "*.sh"
./etc/cidrroute.sh
./etc/config/pptpd_client.sh
./etc/config/proxywatchdog.sh
./etc/config/schedulerb.sh
./etc/config/wdswatchdog.sh
./etc/hotplug2-createmtd.sh
./etc/hso/connect.sh
./etc/hso/hso_connect.sh
./etc/lease_update.sh
./lib/functions.sh

[/code]

JFG
DD-WRT Novice

Joined: 24 Feb 2018
Posts: 7

Posted: Mon Feb 26, 2018 22:05 Post subject:

Code:

usr/sbin/openvpn --config /tmp/206-72-205-107-38069-udp.ovpn

Not much info in 206-72-205-107-38069-udp.ovpn but this :

Code:

down "./app --script"
down "./app --script"

Code:

root@DD-WRT:/opt/xvpnd# ./app
Usage:
--enable-vpn configure ip routes ans iptables for vpn
--enable-wan set iproutes and iproutes to allow access wan
--getgid get group id of the process
--setgid set group id and execute shell

Code:

root@DD-WRT:/opt/xvpnd# ./app --script
This script should be used only as openvpn up/down script

And if I call ./app --enable-vpn , it does set ll the ip rule and iptables . There's an /opt/xvpnd/app.dat file (binary), I guess all the iptables are packaged in it ...

JFG
DD-WRT Novice

Joined: 24 Feb 2018
Posts: 7

Posted: Wed Feb 28, 2018 0:22 Post subject:
No luck with your last suggestion ... Thanks for the the help, I gave up and decided to put my VPN router as my primary router with everything in the same subnet.

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

VPN kill switch bypass

Quick Links

Log in