Tomato Script to prevent VPN Leaks

Discussion in 'Tomato Firmware' started by Angryarno, May 26, 2013.

  1. Angryarno

    Angryarno Reformed Router Member


    I´m using an Linksys WRT 54 G with Tomato 1.28 and PPTP VPN Connection with a VPN Provider (Server). At startup, router connects to the server and then my IP is changing.

    Now I want to prevent, that in this few seconds, when the router starts, my real IP (because Linksys routes all traffic to my internet connection) is public, when traffic goes outside. Or maybe the VPN Server has any problems, I will not realise it...

    I want to block all traffic, if there is NO established PPTP VPN connection.

    Is there any way or any script to do this?

    Thanks for your help!
  2. tido

    tido Networkin' Nut Member

    Hi Angryarno, I was wondering the same thing. I know Tomato WAN connection has a PPTP as one of its options wonder if that could work?
  3. Malitiacurt

    Malitiacurt Networkin' Nut Member

  4. bmupton

    bmupton Networkin' Nut Member

  5. lancethepants

    lancethepants Network Guru Member

    This rule from your link seems like it would do it. The rest I think tomato vpn gui will automatically take care of. This rule basically says that the lan interface cannot make any requests through the wan interface. It can however talk to the tun interface, and should be its only means of accessing the internet.

    iptables -I FORWARD -i br0 -o vlan2 -j DROP
    edit: With so many threads on this subject, how funny it would be if the solution was this simple!
  6. bmupton

    bmupton Networkin' Nut Member

    I believe you are correct, the other rules get automatically added.

    If I recall correctly, there was some discussion about that line being added and you no longer being able to access the router's web interface from the LAN...might want to test by just adding that line manually first, instead of putting it in the firewall script, just in case.
  7. Bird333

    Bird333 Network Guru Member

    Sure be cautious but that rule is in the FORWARD chain and shouldn't affect accessing the GUI. FYI, that rule will drop packets going out vlan2 (i.e. DHCP connection) but if you have PPPOE you need to change 'vlan2' to 'ppp0'.
  8. Magdiel1975

    Magdiel1975 Addicted to LI Member

    Will this iptables prevent users from connecting to another computer on another network (VPN) through my router?

    i guess what I am asking is, I need a iptable that would prevent any user that is connected to my router from accessing their own computer outside my this possible?
  9. andy984

    andy984 Connected Client Member

    I need a rule to block any connection which is not routed via the vpn. i tried to enter with ssh:

    iptables -I FORWARD -i br0 -o vlan2 -j DROP

    But it does not seem to work if i stop the vpn it will still connect to the internet normally.
  10. Monk E. Boy

    Monk E. Boy Network Guru Member

    I think more information about your router make/model, type of internet connection (DHCP, PPPoE, dual-WAN, etc), and whether you have IPv6 enabled or disabled would be helpful.

    The make/model helps determine what interface the WAN port is on, the type of internet connection can also help in this matter, and if IPv6 is turned on then you need to create an ip6tables rule in addition to iptables.

    When testing rules always enter them from telnet or ssh and verify they are working before adding them to the GUI. This allows you to simply restart the router if it becomes nonresponsive or otherwise doesn't function as intended. Unless you are setting NVRAM variables in telnet or ssh any iptables rules you enter will be temporary, in that they go away when the router is rebooted. A perfect environment for testing changes... though someone sharing the router with you may have a different opinion. It sounds like you're doing this already, but I always try to mention it for anyone who wanders through later.
  11. andy984

    andy984 Connected Client Member

    Helo, thankyou for your answer.

    I have following configuration:

    Name TomatoUSB
    Model Asus RT-N12 B1
    Chipset Broadcom BCM53572 chip rev 1 pkg 8
    Flash Size 8MB

    Connection Type DHCP

    IPv6 Configuration
    IPv6 Service Type Disabled
    since i have:

    default UG 0 0 0 vlan1

    i also tried:

    iptables -I FORWARD -i br0 -o vlan1 -j DROP

    iptables -I FORWARD -i br0 -o vlan -j DROP

    which does not seem to make a difference.

    Yes i use ssh to enter the rules for testing ist quite dangerous over the interface...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice