DSM, OpenVPN and firewall


Recommended Posts

Hi all,

 

I'm using DSM 5.0 4458 for some days now and add OpenVPN client (with HideMyAss) following HMA tuto :

 

https://support.hidemyass.com/entries/4 ... nVPN-Setup

 

To protect my NAS, Firewall was activated to allow only my internal network but OpenVPN interface is not covered / protectedn.

Firewall is protecting only eth0 and is no help at all to protec OpenVPN, aka tun0

And I see many SSH connect attempt, hopefully blocked by security

 

Some scripts are available around to inject firewall rules for tun0 interface and for example this one :

 

https://github.com/Modjor/transblocker

 

For now, it works via cron which is not perfect and I'm wondering if someone know how to register call to scripts at OpenVPN client start and stop ?

 

There is such support in Ubuntu (http://manpages.ubuntu.com/manpages/mav ... vpn.8.html) but I'm unsure for DSM.

 

Any advices are welcomed

Link to post
Share on other sites

Auto answer.

 

openvpn client startup script are /usr/syno/etc.defaults/synovpnclient/scripts/ovpnc.sh and /usr/syno/etc/synovpnclient/scripts/ovpnc.sh

 

You could update them to enroll your own script executed at OpenVPN startup time ie :

 

...
case "$1" in
 start)
echo 1 > /proc/sys/net/ipv4/ip_forward

# Make device if not present (not devfs)
if [ ! -c /dev/net/tun ]; then
 		# Make /dev/net directory if needed
 		if [ ! -d /dev/net ]; then
       		mkdir -m 755 /dev/net
 		fi
 		mknod /dev/net/tun c 10 200
fi

/usr/syno/bin/iptablestool --insmod $SERVICE ${KERNEL_MODULES}

       echo "Starting openvpn client..."
/usr/sbin/openvpn --daemon --cd ${CONF_DIR} --config ${OPENVPN_CONF} --writepid /var/run/ovpn_client.pid
# Inject Firewall rules
       /volume1/homes/admin/openvpn-protect.sh

       ;;
 stop)
       echo "Stopping openvpn client..."
       /bin/kill `cat /var/run/ovpn_client.pid` 2>/dev/null

sleep 2	

# Remove Firewall rules
       /volume1/homes/admin/openvpn-unprotect.sh

unload_module;
;;
....                                                                                                      

 

Here are sample scripts to load/unload firewall rules for tun0 (OpenVPN) :

 

openvpn-protect.sh

 

#!/bin/ash

interface="tun0"

iptables -A INPUT -i $interface -p udp -m udp --destination-port 51412 -j ACCEPT 
iptables -A INPUT -i $interface -p tcp -m tcp --destination-port 51412 -j ACCEPT 

iptables -N DOS_PROTECT_VPN
iptables -A INPUT -i $interface -p tcp --syn -j DOS_PROTECT_VPN
iptables -A DOS_PROTECT_VPN -i $interface -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A DOS_PROTECT_VPN -i $interface -j DROP
iptables -A INPUT -i $interface -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -i $interface -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -i $interface -p icmp -j DROP

iptables -A INPUT -i $interface -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $interface -j DROP

 

openvpn-unprotect.sh

 

#!/bin/ash

interface="tun0"
iptables -D INPUT -i $interface -p udp -m udp --destination-port 51412 -j ACCEPT 
iptables -D INPUT -i $interface -p tcp -m tcp --destination-port 51412 -j ACCEPT 

iptables -D INPUT -i $interface -p tcp --syn -j DOS_PROTECT_VPN
iptables -D DOS_PROTECT_VPN -i $interface -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -D DOS_PROTECT_VPN -i $interface -j DROP
iptables -D INPUT -i $interface -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -D INPUT -i $interface -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -D INPUT -i $interface -p icmp -j DROP
iptables -X DOS_PROTECT_VPN

iptables -D INPUT -i $interface -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -D INPUT -i $interface -j DROP

Link to post
Share on other sites
  • 1 month later...