phoenix73

DSM, OpenVPN and firewall

Recommended Posts

Hi all,

 

I'm using DSM 5.0 4458 for some days now and add OpenVPN client (with HideMyAss) following HMA tuto :

 

https://support.hidemyass.com/entries/4 ... nVPN-Setup

 

To protect my NAS, Firewall was activated to allow only my internal network but OpenVPN interface is not covered / protectedn.

Firewall is protecting only eth0 and is no help at all to protec OpenVPN, aka tun0

And I see many SSH connect attempt, hopefully blocked by security

 

Some scripts are available around to inject firewall rules for tun0 interface and for example this one :

 

https://github.com/Modjor/transblocker

 

For now, it works via cron which is not perfect and I'm wondering if someone know how to register call to scripts at OpenVPN client start and stop ?

 

There is such support in Ubuntu (http://manpages.ubuntu.com/manpages/mav ... vpn.8.html) but I'm unsure for DSM.

 

Any advices are welcomed

Share this post


Link to post
Share on other sites

Auto answer.

 

openvpn client startup script are /usr/syno/etc.defaults/synovpnclient/scripts/ovpnc.sh and /usr/syno/etc/synovpnclient/scripts/ovpnc.sh

 

You could update them to enroll your own script executed at OpenVPN startup time ie :

 

...
case "$1" in
 start)
echo 1 > /proc/sys/net/ipv4/ip_forward

# Make device if not present (not devfs)
if [ ! -c /dev/net/tun ]; then
 		# Make /dev/net directory if needed
 		if [ ! -d /dev/net ]; then
       		mkdir -m 755 /dev/net
 		fi
 		mknod /dev/net/tun c 10 200
fi

/usr/syno/bin/iptablestool --insmod $SERVICE ${KERNEL_MODULES}

       echo "Starting openvpn client..."
/usr/sbin/openvpn --daemon --cd ${CONF_DIR} --config ${OPENVPN_CONF} --writepid /var/run/ovpn_client.pid
# Inject Firewall rules
       /volume1/homes/admin/openvpn-protect.sh

       ;;
 stop)
       echo "Stopping openvpn client..."
       /bin/kill `cat /var/run/ovpn_client.pid` 2>/dev/null

sleep 2	

# Remove Firewall rules
       /volume1/homes/admin/openvpn-unprotect.sh

unload_module;
;;
....                                                                                                      

 

Here are sample scripts to load/unload firewall rules for tun0 (OpenVPN) :

 

openvpn-protect.sh

 

#!/bin/ash

interface="tun0"

iptables -A INPUT -i $interface -p udp -m udp --destination-port 51412 -j ACCEPT 
iptables -A INPUT -i $interface -p tcp -m tcp --destination-port 51412 -j ACCEPT 

iptables -N DOS_PROTECT_VPN
iptables -A INPUT -i $interface -p tcp --syn -j DOS_PROTECT_VPN
iptables -A DOS_PROTECT_VPN -i $interface -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A DOS_PROTECT_VPN -i $interface -j DROP
iptables -A INPUT -i $interface -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -i $interface -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -i $interface -p icmp -j DROP

iptables -A INPUT -i $interface -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $interface -j DROP

 

openvpn-unprotect.sh

 

#!/bin/ash

interface="tun0"
iptables -D INPUT -i $interface -p udp -m udp --destination-port 51412 -j ACCEPT 
iptables -D INPUT -i $interface -p tcp -m tcp --destination-port 51412 -j ACCEPT 

iptables -D INPUT -i $interface -p tcp --syn -j DOS_PROTECT_VPN
iptables -D DOS_PROTECT_VPN -i $interface -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -D DOS_PROTECT_VPN -i $interface -j DROP
iptables -D INPUT -i $interface -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -D INPUT -i $interface -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -D INPUT -i $interface -p icmp -j DROP
iptables -X DOS_PROTECT_VPN

iptables -D INPUT -i $interface -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -D INPUT -i $interface -j DROP

Share this post


Link to post
Share on other sites

What do these firewall rules do to the traffic over the VPN?

 

Thanks.

Share this post


Link to post
Share on other sites

these firewall rules protect your NAS from remote connections.

When you start an openvpn connection, all ports are opened via tun0.

This may explains why some have seen there NAS hacked

Share this post


Link to post
Share on other sites