security issue + how to restrict access to VPN server ?

Discussion in 'Tomato Firmware' started by rico35, Feb 13, 2010.

  1. rico35

    rico35 Addicted to LI Member

    Hello all,

    I am starting to play with my WRT54GL runing TomatoVPN v1.27vpn3.6.4.

    I successfully created a VPN using secret-key.

    I have two questions :

    - is it normal that I can connect to my VPN server runing on WRT54GL even if I change few caracters in secret key on my OpenVPN client (v2.1.1 runing on a PC/Win7) ?! If I change too much caracters, the connection is rejected but I am surprise that I can connect if I replace only few caracters...

    - I would like to limit access to the VPN server runing on my WRT54GL : accept only incoming request on TCP:443 coming from my job internet gateway. I don't see how to configure this in the firewall GUI. Is it possible ?

    Thanks for your help

  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That surprises me, too. I wonder if the bits your changing only corrupt some of the metadata.
    Sure, just add this to your firewall script:
    iptables -t mangle -I INPUT -p `nvram get vpn_server1_proto` --dport `nvram get vpn_server1_port` -s ! <IP ADDRESS YOU WANT TO ALLOW> -j DROP
  3. rico35

    rico35 Addicted to LI Member

    Thanks SgtPepperKSU for you feedback.

    Concerning the secretkey modification, I made several tests.
    I changed only two last caracters -> connection OK !
    I changed few 4 or 5 caracters on the first 2 lines -> connection OK !
    I changed first 2 or 3 caracters -> connection KO

    Very strange..

    How can I update firewall script ? Manual file modification using SSH connection ?
    I don't see firewall input field in Tomato GUI..

    Thanks again
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can find it at Administration->Scripts.
  5. rico35

    rico35 Addicted to LI Member

    Thanks for the information :)

    I did it with GUI as you described.

    Because I can not check if it works with real testing, I tried to check if the rule is correctly applied in firewall.
    So I connected to the box with SSH and display Iptable rules with command "iptables --list" ; but I don't see the <IP ADDRESS I WANT TO ALLOW> in the output ?!
    So, I guessed that the rule is not applied correclty with GUI, and so, I tried to add it directly with command " iptables -t mangle -I INPUT -p tcp --dport 443 -s ! x.x.x.x -j DROP" but it is the same result !

    Is there something wrong in the command line to add the rule
    Can I make a mistake trying to read the iptables rules ?

  6. rico35

    rico35 Addicted to LI Member

    I answer to myself.
    It look like that correct command is " iptables -t mangle -L -v" ..
    Thks ! ;)
  7. rico35

    rico35 Addicted to LI Member


    Does anyone can clarify why the IP filtering is done in mangle table instead of INPUT table ? :confused:

    Also, is possible to restore default firewall configuration (without restoring overall WRT configuration)

  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I was waiting for someone to point that out (assuming you meant filter table instead of INPUT table) :-P

    The VPN GUI backend generates rules and inserts them at the beginning of the filter table's INPUT chain. So, we either had to make sure the new rule was always executed after the VPN GUI backend ran (so that it would be inserted before) or just use a chain that is guaranteed to run before the one that contains the other rules.

    If I were implementing this in the GUI backend itself, I'd have properly used the filter/INPUT chain, but this was a quick fix.

    Delete the lines from the firewall script...?
  9. rico35

    rico35 Addicted to LI Member

    Ok I think I understand now. :flowers:

    Not sure it is enough in my case. Indeed, I played a little bit directly with iptable through SSH connection and I am not 100% sure that I didn't insert a bad rule which can break security (and I am not an iptable expert). That's why I was looking for a quick solution :wink:
    So the best solution now is to read iptable man page :eek: :wink:

    Thanks again
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Actually, the iptables rules are rebuilt from scratch every time the service is started. This happens on every boot, when the Firewall script is changed, or when firewall related settings are changed (including those in the VPN section). However, if you want to do this manually form the shell you can run:
    service firewall restart
  11. rico35

    rico35 Addicted to LI Member

    Tks again SgtPepperKSU.
    I hope it is my last post on this.. :redface:

    I performed the service firewall restart

    After that, I checked mangle table. My mgt IP disappears. So you are right, the firewall restart clean tables.

    The problem is that my firewall script was there to add my mgt IP.
    Also, I clicked on "Save" but it doesn't add the rule. Is it normal ??

    Find below result of script launched in shell :

    iptables -t mangle -I INPUT -p `nvram get vpn_server1_proto` --dport `nvram get vpn_server1_port` -s ! x.x.x.x -j DROP
    iptables v1.3.7: unknown protocol `tcp-server' specified
    Try `iptables -h' or 'iptables --help' for more information.

    Peraphs it is normal...

    The only way I found to add the rule into iptable is to enter the following command(with shell) :

    iptables -t mangle -I INPUT -p tcp --dport 443 -s ! x.x.x.x -j DROP
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Crap. You're right. I forgot that the vpn_server*_proto variable stores "tcp-server" rather than just tcp. You should change it to:
    iptables -t mangle -I INPUT -p `nvram get vpn_server1_proto | sed 's/-.*$//'` --dport `nvram get vpn_server1_port` -s ! x.x.x.x -j DROP
  13. rico35

    rico35 Addicted to LI Member

    It works now !!


    Tks :flowers: :flowers: :flowers:
  14. rico35

    rico35 Addicted to LI Member

    Well, I spoke too quickly...
    I am now testing this remote access but it doesn't work.
    On my office client VPN, I get timeout messages, retry in 5 seconds...

    So I enabled firewall log file on my WRT as described here : ( )

    I see following message.

    Mar 29 21:25:33 ? user.warn kernel: IN=vlan1 OUT= MAC=00:1d:7e:1a:ff:16:ee:1d:68:c1:5a:ea:09:00:45:00:00:30 SRC=X.X.X.X DST= LEN=48

    So, connection attempts are seen by my WRT but it doesn't answer :(

    Any idea ?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice