Limiting VPN access to a Dyndns name

Discussion in 'Tomato Firmware' started by GavinP, Mar 3, 2012.

  1. GavinP

    GavinP Network Guru Member

    Hi

    I wanted to restrict access to my TomatoVPN server using a Dyndns name so had to knock together a script to do this. I'm sure it can be improved upon but thought it might help someone in a similar position.

    This is tested and working on a Buffalo WHR-G54S running TomatoVPN 1.27vpn3.6. With the wireless switched off, this router only uses 3 watts. I also had to change the firewall type from "Automatic" to "Custom" on the VPN Tunnelling\Server page and add a single line to the Administration\Scripts - Firewall tab:

    iptables -P FORWARD ACCEPT

    The text below was pasted into one of the tasks on the Administration\Scheduler page as one of the tasks and edited to suit. I scheduled mine to run every 15 minutes.

    I hope this helps someone,

    Thanks

    Gavin



    #! /bin/sh
    HOSTNAME="YourName.dyndns.org"
    IPTABLES=/usr/sbin/iptables
    NSLOOKUP=/usr/bin/nslookup
    DYNIPLOG="/var/log/dynip.log"
    PROTO="udp"
    PORT=1194
    logger_opts="-t $0"
    Current_IP=`$NSLOOKUP $HOSTNAME | tail -1 | awk -F ": " '{print $2}' | cut -f 1 -d ' '`
    if [ $DYNIPLOG = "" ] ; then
    $IPTABLES -D INPUT -p $PROTO --dport $PORT -j ACCEPT
    $IPTABLES -I INPUT -p $PROTO --dport $PORT -s $Current_IP -j ACCEPT
    echo $Current_IP > $DYNIPLOG
    echo "Resolving HOSTNAME as:" | logger $logopts
    echo $Current_IP | logger $logopts
    else
    Old_IP=$(cat $DYNIPLOG)
    if [ "$Current_IP" = "$Old_IP" ] ; then
    echo "IP address has not changed" | logger $logopts
    else
    $IPTABLES -D INPUT -p $PROTO --dport $PORT -s $Old_IP -j ACCEPT
    $IPTABLES -I INPUT -p $PROTO --dport $PORT -s $Current_IP -j ACCEPT
    echo $Current_IP > $DYNIPLOG
    echo "iptables have been updated" | logger $logopts
    fi
    fi
     
    philess likes this.
  2. PBandJ

    PBandJ Addicted to LI Member

  3. GavinP

    GavinP Network Guru Member

    That is a good point - I already use TLS-AUTH for the connection.

    This script can be expanded on to allow/disable access to other services running on the host (which is what I do) to limit remote access for HTTPS and SSH etc as well.

    Thanks

    Gavin
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice