DD-WRT Openvpn - help me understand this code
Hi,
Following several guides online, I have the following in my firewall rules for DD-WRT:
iptables -N VPN
iptables -F VPN
iptables -I INPUT -i tun0 -j VPN
iptables -I FORWARD -i tun0 -j VPN
iptables -A VPN -i tun0 -o br0 -j ACCEPT
iptables –I FORWARD –i br0 –o $(nvram get wan_iface) –j DROP
iptables -I POSTROUTING -t nat -o tun0 -j RETURN
I know it's a big ask, but would anyone be able to explain what these lines are doing?
Many thanks,
Gareth
Following several guides online, I have the following in my firewall rules for DD-WRT:
iptables -N VPN
iptables -F VPN
iptables -I INPUT -i tun0 -j VPN
iptables -I FORWARD -i tun0 -j VPN
iptables -A VPN -i tun0 -o br0 -j ACCEPT
iptables –I FORWARD –i br0 –o $(nvram get wan_iface) –j DROP
iptables -I POSTROUTING -t nat -o tun0 -j RETURN
I know it's a big ask, but would anyone be able to explain what these lines are doing?
Many thanks,
Gareth
Comments
iptables -N VPN <<< Create a new chain called "VPN"
iptables -F VPN <<< Flushes/deletes all rules in "VPN"
iptables -I INPUT -i tun0 -j VPN
iptables -I FORWARD -i tun0 -j VPN
iptables -A VPN -i tun0 -o br0 -j ACCEPT <<< accepts packets from tunnel 0 to bridge 0 (lan&wifi)
iptables –I FORWARD –i br0 –o $(nvram get wan_iface) –j DROP <<< I think this drops packets not routed over the VPN?
iptables -I POSTROUTING -t nat -o tun0 -j RETURN
Other than that I'm lost!
The only rule I ever used was something like this:
iptables -I FORWARD ! -o tun+ -j DROP
which kills all traffic not going through the VPN (ie. a killswitch).
Have you considered trying OpenWRT - I find it a lot easier than DD!
Hmmm, true, but I suppose plenty of people drive cars without understanding even the basics of internal combustion engine, or clutches etc.
Anyway, the kill switch in the code I posted above wasn't working, so I have replaced the firewall code with:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
which does work (if VPN is disabled, there is no internet).
What I would like to do now is apply the VPN and the above rules to a certain IP range only, is this possible? So 192.168.0.2 - 192.168.0.128 go through the normal (ISP) connection, whilst 128-256 go through VPN, and will not work if VPN goes down - is that doable?
Thanks
I think my killswitch is better!
Your selective routing is possible and there are plenty of posts on here with discussion - mainly about not being able to get it to work properly!