1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Limiting VPN access to a Dyndns name

Discussion in 'Tomato Firmware' started by GavinP, Mar 3, 2012.

  1. GavinP

    GavinP Network Guru Member

    Hi

    I wanted to restrict access to my TomatoVPN server using a Dyndns name so had to knock together a script to do this. I'm sure it can be improved upon but thought it might help someone in a similar position.

    This is tested and working on a Buffalo WHR-G54S running TomatoVPN 1.27vpn3.6. With the wireless switched off, this router only uses 3 watts. I also had to change the firewall type from "Automatic" to "Custom" on the VPN Tunnelling\Server page and add a single line to the Administration\Scripts - Firewall tab:

    iptables -P FORWARD ACCEPT

    The text below was pasted into one of the tasks on the Administration\Scheduler page as one of the tasks and edited to suit. I scheduled mine to run every 15 minutes.

    I hope this helps someone,

    Thanks

    Gavin



    #! /bin/sh
    HOSTNAME="YourName.dyndns.org"
    IPTABLES=/usr/sbin/iptables
    NSLOOKUP=/usr/bin/nslookup
    DYNIPLOG="/var/log/dynip.log"
    PROTO="udp"
    PORT=1194
    logger_opts="-t $0"
    Current_IP=`$NSLOOKUP $HOSTNAME | tail -1 | awk -F ": " '{print $2}' | cut -f 1 -d ' '`
    if [ $DYNIPLOG = "" ] ; then
    $IPTABLES -D INPUT -p $PROTO --dport $PORT -j ACCEPT
    $IPTABLES -I INPUT -p $PROTO --dport $PORT -s $Current_IP -j ACCEPT
    echo $Current_IP > $DYNIPLOG
    echo "Resolving HOSTNAME as:" | logger $logopts
    echo $Current_IP | logger $logopts
    else
    Old_IP=$(cat $DYNIPLOG)
    if [ "$Current_IP" = "$Old_IP" ] ; then
    echo "IP address has not changed" | logger $logopts
    else
    $IPTABLES -D INPUT -p $PROTO --dport $PORT -s $Old_IP -j ACCEPT
    $IPTABLES -I INPUT -p $PROTO --dport $PORT -s $Current_IP -j ACCEPT
    echo $Current_IP > $DYNIPLOG
    echo "iptables have been updated" | logger $logopts
    fi
    fi
     
    philess likes this.
  2. PBandJ

    PBandJ Networkin' Nut Member

  3. GavinP

    GavinP Network Guru Member

    That is a good point - I already use TLS-AUTH for the connection.

    This script can be expanded on to allow/disable access to other services running on the host (which is what I do) to limit remote access for HTTPS and SSH etc as well.

    Thanks

    Gavin
     

Share This Page