1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Automatic Firewall rules with OpenVPN

Discussion in 'Tomato Firmware' started by Delta221, Apr 19, 2009.

  1. Delta221

    Delta221 Addicted to LI Member

    Is there an automatic firewall rule added so that the VPN server knows how to route DNS query responses to client machines?

    It looks like DNS queries won't go back to the client from the VPN with --redirect-gateway. To get DNS queries through to the VPN, you have to manually change the DNS server on your client machine to the VPN DNS server in windows, but nothing comes back. Any idea how to fix this? I am really bad with iptables :confused:
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't do anything specifically to allow DNS to traverse the tunnel, but I don't think the firewall is blocking it (I open up the firewall completely - as far as I know). I don't use DNS over VPN, so I'm not sure what, if anything, needs to be done to allow it.

    You could try to get help on the OpenVPN IRC channel, and report back here with the results. If there is something that could change in the firmware to facilitate it, I could put it in.
  3. martinqiu

    martinqiu Addicted to LI Member

    It works well.
  4. Delta221

    Delta221 Addicted to LI Member

    DNS queries still go through the LAN router instead of the VPN tunnel with --route-gateway ip. I'm watching the queries with wireshark.
  5. ntest7

    ntest7 Network Guru Member

    You can add to your custom config
    push "dhcp-option DNS x.x.x.x"
    to set a specific DNS server. This can be specified multiple times for multiple DNS servers. You might also want
    push "dhcp-option DOMAIN example.com"
    to set a specific default domain for the tunnel.
  6. Delta221

    Delta221 Addicted to LI Member

    Is there a way to start an additional dnsmasq server on the vpn interface only? Still no replies for DNS queries over the tunnel.
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't know for sure, but probably. What is that you're trying to accomplish by doing so?
    ntest7 replied about this in the post directly above yours.
  8. Delta221

    Delta221 Addicted to LI Member

    So I guess there are two parts to my question, the first was getting the client to send queries over the tunnel, and ntest7 informed us of a better way of doing it rather than what I was originally doing, so that is resolved (Thanks ntest7)

    The second part is what is happening since the server is not replying to the DNS queries which are sent over the VPN, which is still happening.
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, sorry, I don't know how to remedy that. I think others have gotten DNS over VPN to work, maybe they'll be able to chime in.
  10. ntest7

    ntest7 Network Guru Member

    If the queries are reaching the DNS server, it is out of OpenVPN's control and will need to be solved elsewhere.

    One guess is the DNS server may be configured to only answer to specific IP addresses, not including yours. The DNS server logs should be able to confirm this guess. To fix this, either reconfigure the DNS server to answer your queries or NAT the far end to an acceptable address.

    Or maybe a routing issue at the DNS server.
  11. Delta221

    Delta221 Addicted to LI Member

    I don't think if it is a routing issue, since http traffic reaches back to the client when the LAN DNS server is used. The server is running on all interfaces, so it should be ok:

    # netstat -al
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0* LISTEN

    The queries go through the tunnel, then I don't know what happens to them, whether dnsmasq rejects them, or whether they go through, but don't make it back. I don't think dnsmasq keeps any logs like that on tomato.
  12. Delta221

    Delta221 Addicted to LI Member

    I turned on syslog today on my router (VPN server: v1.23vpn3.0001) and ran it with all combinations of "If allowed by firewall" and "If blocked by firewall" inbound and outbound while the DNS queries were failing.

    Through the syslog client I had running on my windows machine, I saw the DNS queries sent by the vpn client over the vpn tunnel to my VPN server, but were all blocked inbound by the firewall.

    When I had "If allowed by firewall" (inbound), nothing showed up on my syslog client. When I changed it to "If blocked by firewall", my syslog client showed all the DNS queries:


    How can iptables be configured to allow DNS queries in and out over the vpn? I don't have any additional firewall rules set up on my tomato router, the firewall is running on the default rules only. DNS queries also fail when I push the regular LAN ip of my router ( to the vpn client as the DNS server, so I'm guessing the same thing is happening.
  13. paped

    paped LI Guru Member

    I don't use openvpn on my router but I do use it on a Ubuntu server behind it and I configured the firewall rules (iptables so I presume they should be similar) and the DNS works. I used the details in this page.....


    And there is some more rules for TAP/TUN connections on the Openvpn FAQ page

    Don't know if these will work for this but it may give you some pointers at least.....
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, I'm glad we finally have confirmation that the firewall is blocking it. I'm certainly no iptables expert, but I thought that the rules that I had
    iptables -A INPUT -i tun22 -j ACCEPT
    iptables -A FORWARD -i tun22 -j ACCEPT
    were enough to allow anything through. We now know what the problem is, but I still don't know what's needed to fix it. I'll do some research over the next couple of days, but if you find a firewall rule that fixes it, let me know, and I'll incorporate it in the firmware.
  15. paped

    paped LI Guru Member

    Those rule look similar to the ones I mentioned above on the OpenVPN FAQ site but I think that the TUN22 is shown as TUN+.

    Also you are using TUN on your client? As if your using TAP the rules would need to be TAP+ or possibly TAP22 if the 22 bit is significant to running Openvpn on/in tomato.

    Also I would assume that the masquarade rule shown in the URL link I posted previously would been needed as you need to get from you;re VPN to your LAN subnet where the DNS server is and this should provide the NAT'ing for this?
  16. Delta221

    Delta221 Addicted to LI Member

    I don't know if the masquerade rule is necessary... When redirect-gateway is used, all traffic, except DNS queries, goes through the vpn successfully. I will try it anyway tomorrow, as well as the iptables tun rules.

    I noticed a few users posted that they could not access the internet when connecting with TAP... Maybe they are having the same problem?

    For those of you who are curious and want to replicate the problem, or confirm that it is an issue, here is my vpn server config:

    # Automatically generated configuration
    proto udp
    port 38933
    dev tun22
    cipher BF-CBC
    comp-lzo yes
    keepalive 15 60
    verb 3
    push "route"
    tls-auth static.key 0
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status

    # Custom Configuration
    auth SHA1
    key-method 2
    route-gateway dhcp
    push redirect-gateway
    push "dhcp-option DNS"
    topology subnet
    replay-window 60 15
    replay-persist /jffs/openvpn/replay
    chroot /jffs/openvpn/
    group nobody

    To use the local DNS server on your client machine's network, change the redirect-gateway line to push redirect-gateway bypass-dns

    Good night
  17. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I customized the rules I posted for what would have been used in his configuration. tun22 would be replaced with tap22, tap21, or tun21 if that's the device being used. tun+ just means "all TUN devices", and I don't want to do that as someone may choose different firewall options for different tunnels.
    I'm pretty sure I don't need to set up a NAT on the tunnel; I have the server push out routes to the clients so they can access the server LAN correctly, and the user has the option of having a NAT on the client or setting up routes in the opposite direction to allow for the return traffic. I think routes are all fine without adding a NAT. We just need to figure out why the firewall is blocking the traffic.
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Have you tried it without most of these options (especially the topology line)? If you could try it without as many of those as possible (leave the DNS line, of course), it would narrow down the possible causes. My guess is just that I need to add some firewall rule, but it doesn't hurt to check.
  19. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Might as well go about testing if other firewall chains need to be opened. Try running the following from the router shell one at a time with the VPN connected, trying DNS between each to test:
    iptables -t filter -I INPUT -i tun22 -j ACCEPT
    iptables -t filter -I FORWARD -i tun22 -j ACCEPT
    iptables -t filter -I OUTPUT -i tun22 -j ACCEPT
    iptables -t filter -I upnp -i tun22 -j ACCEPT
    iptables -t filter -I wanin -i tun22 -j ACCEPT
    iptables -t filter -I wanout -i tun22 -j ACCEPT
    iptables -t nat -I PREROUTING -i tun22 -j ACCEPT
    iptables -t nat -I POSTROUTING -i tun22 -j ACCEPT
    iptables -t nat -I OUTPUT -i tun22 -j ACCEPT
    iptables -t nat -I upnp -i tun22 -j ACCEPT
    iptables -t mangle -I PREROUTING -i tun22 -j ACCEPT
    iptables -t mangle -I INPUT -i tun22 -j ACCEPT
    iptables -t mangle -I FORWARD -i tun22 -j ACCEPT
    iptables -t mangle -I OUTPUT -i tun22 -j ACCEPT
    iptables -t mangle -i POSTROUTING -i tun22 -j ACCEPT
    If one of them makes it start working, run
    service firewall restart
    and rerun the last iptables command that got it working (that will test if only that command was needed).

    I included every firewall chain present on the router (however unlikely to help), so I would sure hope this solves it for us.
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Oh, my. I can't believe I'm just noticing this! Your telling the clients that (the server tunnel IP) is the DNS server. It should be (your server router LAN IP, right?). They are the same device, but dnsmasq only listens on the LAN.

    This may be the whole problem. But, if not, correct it and continue with my previous debugging suggestions.
  21. Delta221

    Delta221 Addicted to LI Member

    I tried pushing both router ip addresses to the VPN client separately, and and got the same error. I just verified the firewall blocked DNS requests to as well. The masquerade chain had no effect, so I will try all the other options later on, I have to go to work now.

    Thank you... hmm.. work can wait a few minutes :)
    I will update shortly
  22. Delta221

    Delta221 Addicted to LI Member

    I ran all of the chain commands individually, with no success. Some of the iptables commands did not work:

    # iptables -t filter -I OUTPUT -i tun21 -j ACCEPT
    iptables v1.3.7: Can't use -i with OUTPUT

    #iptables -t nat -I POSTROUTING -i tun21 -j ACCEPT
    iptables v1.3.7: Can't use -i with POSTROUTING

    #iptables -t nat -I OUTPUT -i tun21 -j ACCEPT
    iptables v1.3.7: Can't use -i with OUTPUT

    #iptables -t mangle -I OUTPUT -i tun21 -j ACCEPT
    iptables v1.3.7: Can't use -i with OUTPUT

    #iptables -t mangle -i POSTROUTING -i tun21 -j ACCEPT
    iptables v1.3.7: multiple -i flags not allowed

    I got the same drop error showing like before... I also saw a few of these show up in the log, I don't know if it is related to the vpn at all:

    Apr 27 19:21:07 kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:f1:e6:d7:5d:08:00:45:00:01:62 SRC= DST= LEN=354 TOS=0x00 PREC=0x00 TTL=255 ID=53725 PROTO=UDP SPT=67 DPT=68 LEN=334

    My vpn is NOT numbered, so I don't know where this is coming from.
  23. Delta221

    Delta221 Addicted to LI Member

    I just tried with dev tap instead, with no success.... I don't know what else to try.
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm running out of ideas, too. I don't see how the packets can get dropped if we've opened all the floodgates.

    Can you provide the output of
    iptables -t filter -vL
    iptables -t nat -vL
    iptables -t mangle -vL
    ? It's possible that there is some other rule actively blocking things.
  25. Delta221

    Delta221 Addicted to LI Member

    I changed the vpn server port to 52118, and my subnet to I still have it on the tap interface, didn't change it back yet. Here is the output for the default rules I always run it with:


    Is there a way to have iptables log blocked items according to the rule which blocked it?

    Thanks for your help
  26. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I've been trying to find a way to do just that, but it seems you can't directly do it. However, you can achieve the same effect, albeit a bit messily. If we add a logging rule in between each of the real rules, we'll be able to tell which rules are matched by where the logging stops.

    Another thing you can do is to capture the various tables as you just posted (all the -vL commands), issue some nslookup commands across the tunnel, and capture it again. Then you can compare the two to see which rules has had its "pkts" column increase (be sure to check the "policy" lines, too).

    If you could try the second method, I'll try to analyze the tables you've provided to see if I can see where such a packet would get dropped. If neither of us come up with anything, I'll try to figure out which places we can place logging rules that won't just flood your syslog.
  27. Delta221

    Delta221 Addicted to LI Member

    Before doing anything else, I'm just going to try re-flashing it... I once had unexplained problems which were solved by re-flashing so I'm just going to try it again...
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Figured it out. Add the following to your Advanced->DHCP/DNS->Dnsmasq Custom Configuration field:
    of course replace tun22 with the appropriate device.

    Even though we're directing the packets to the br0 interface, I guess it is smart enough to know they are coming from the TUN interface. I will try to find an iptables rule to change this fact so the dnsmasq line won't be necessary (I would rather the VPN code keep its hands off the dnsmasq configuration).
    EDIT: for what it's worth, I think I found a way to get iptables to do what I want, but I need to compile a new iptables target into the kernel, so I can't have you try it. I am currently testing a new release (I was actually about to release last night, but got busy with other stuff), but I may try to add this before releasing.

    Also, turn off the logging of dropped packets because, ironically, the combination of how Tomato logs them and how I add the tunnel rules to the chain, choosing to log the dropped packets is the whole reason they're getting dropped!
  29. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, so I patched the kernel and iptables to allow for the ROUTE iptables target last night.

    While the documentation on it makes it sound like it will do exactly what we want, my discussions on IRC led me to believe that target was an ugly hack that is frowned upon. Sure enough; it doesn't appear to work correctly.

    I have another, cleaner idea for how to handle this, and will try to get it implemented and released soon. BTW, have you had a chance to try the dnsmasq configuration line? It would be helpful to know if it helped you, too, since that's along the lines of the cleaner solution I had in mind (only GUI driven from VPN pages, of course).
  30. i1135t

    i1135t Network Guru Member

    Are you trying to tunnel DNS over the VPN?
  31. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's the goal. It appears everything works fine, except dnsmasq only listens on the LAN interface by default. I thought aiming the packets at that IP address would be sufficient, but apparently it isn't.

    In my testing, though, just adding that line to the dnsmasq custom configuration gets it working.
  32. i1135t

    i1135t Network Guru Member

    It works for me too, but only from my Windows XP Pro box. No go on my linux box though. I tested it from work. Hmmm...
  33. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    On linux you'll either need to use up/down scripts or set your DNS servers manually. Only windows can accept "dhcp-option DNS" directives (search this forum for dhcp-option for example up/down scripts I gave to make linux accept "dhcp-option"). Am I correct that this is the part that you're saying only works on Windows (automatically configuring clients' DNS server).

    However, what we're working on here is getting the DNS traffic to work using the VPN server router as the DNS server (separate issue than how the clients get their DNS server settings).

    Are you saying you got it work by adding the line to dnsmasq custom configuration, using the upstream DNS servers (or anything other than the VPN server router), or using the VPN server router as the DNS server without adding the dnsmasq line?
  34. i1135t

    i1135t Network Guru Member

    I suspected that it was a linux issue accepting the DNS server push to my linux client.

    I am a little confused as to the last statement. You were helping me setup my connection at work to route my traffic through the VPN to my home. I remember at one point I had my router(VPN server) push it's local IP to my VPN clients for DNS, but I was unsuccessful to get my traffic routed through it for some reason. That's when I tried pushing my home WAN DNS servers to my client and got it working, but was an on/off issue where sometimes it would work and sometimes it would not. By saying this, I mean to get around my work's OPENDNS blocks. After seeing your post about addng that line into the config, I then tried to push my home router's IP as the DNS server for my clients again, while adding your line into the DNSmasq config to see if that would work. It appears so, but I will have to test it thoroughly to be sure that it's not a fluke.

    Hope that wasn't too confusing? :)
  35. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It shouldn't be a fluke. If you add that line to the dnsmasq custom config should make it so you can use your VPN server router as the DNS server. Whether or how the clients set their DNS settings to point to that router is separate issue (one we went over before, and you seem to have under control).
  36. i1135t

    i1135t Network Guru Member

    Cool, finally got it working on my linux host after googling for a working up script and numerous test runs. So far it works on both my Windows and Linux boxes. Thanks for the support!
  37. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    This issue should now be fixed in 1.23vpn3.2, which I just released. There is now a GUI option to allow the DNS server on the router accept requests from the tunnel.

Share This Page