phoenix73 Posted May 7, 2014 Share #1 Posted May 7, 2014 Hi all, I'm using DSM 5.0 4458 for some days now and add OpenVPN client (with HideMyAss) following HMA tuto : https://support.hidemyass.com/entries/4 ... nVPN-Setup To protect my NAS, Firewall was activated to allow only my internal network but OpenVPN interface is not covered / protectedn. Firewall is protecting only eth0 and is no help at all to protec OpenVPN, aka tun0 And I see many SSH connect attempt, hopefully blocked by security Some scripts are available around to inject firewall rules for tun0 interface and for example this one : https://github.com/Modjor/transblocker For now, it works via cron which is not perfect and I'm wondering if someone know how to register call to scripts at OpenVPN client start and stop ? There is such support in Ubuntu (http://manpages.ubuntu.com/manpages/mav ... vpn.8.html) but I'm unsure for DSM. Any advices are welcomed Link to comment Share on other sites More sharing options...
phoenix73 Posted May 7, 2014 Author Share #2 Posted May 7, 2014 Auto answer. openvpn client startup script are /usr/syno/etc.defaults/synovpnclient/scripts/ovpnc.sh and /usr/syno/etc/synovpnclient/scripts/ovpnc.sh You could update them to enroll your own script executed at OpenVPN startup time ie : ... case "$1" in start) echo 1 > /proc/sys/net/ipv4/ip_forward # Make device if not present (not devfs) if [ ! -c /dev/net/tun ]; then # Make /dev/net directory if needed if [ ! -d /dev/net ]; then mkdir -m 755 /dev/net fi mknod /dev/net/tun c 10 200 fi /usr/syno/bin/iptablestool --insmod $SERVICE ${KERNEL_MODULES} echo "Starting openvpn client..." /usr/sbin/openvpn --daemon --cd ${CONF_DIR} --config ${OPENVPN_CONF} --writepid /var/run/ovpn_client.pid # Inject Firewall rules /volume1/homes/admin/openvpn-protect.sh ;; stop) echo "Stopping openvpn client..." /bin/kill `cat /var/run/ovpn_client.pid` 2>/dev/null sleep 2 # Remove Firewall rules /volume1/homes/admin/openvpn-unprotect.sh unload_module; ;; .... Here are sample scripts to load/unload firewall rules for tun0 (OpenVPN) : openvpn-protect.sh #!/bin/ash interface="tun0" iptables -A INPUT -i $interface -p udp -m udp --destination-port 51412 -j ACCEPT iptables -A INPUT -i $interface -p tcp -m tcp --destination-port 51412 -j ACCEPT iptables -N DOS_PROTECT_VPN iptables -A INPUT -i $interface -p tcp --syn -j DOS_PROTECT_VPN iptables -A DOS_PROTECT_VPN -i $interface -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A DOS_PROTECT_VPN -i $interface -j DROP iptables -A INPUT -i $interface -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT iptables -A INPUT -i $interface -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP: iptables -A INPUT -i $interface -p icmp -j DROP iptables -A INPUT -i $interface -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $interface -j DROP openvpn-unprotect.sh #!/bin/ash interface="tun0" iptables -D INPUT -i $interface -p udp -m udp --destination-port 51412 -j ACCEPT iptables -D INPUT -i $interface -p tcp -m tcp --destination-port 51412 -j ACCEPT iptables -D INPUT -i $interface -p tcp --syn -j DOS_PROTECT_VPN iptables -D DOS_PROTECT_VPN -i $interface -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -D DOS_PROTECT_VPN -i $interface -j DROP iptables -D INPUT -i $interface -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT iptables -D INPUT -i $interface -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP: iptables -D INPUT -i $interface -p icmp -j DROP iptables -X DOS_PROTECT_VPN iptables -D INPUT -i $interface -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -D INPUT -i $interface -j DROP Link to comment Share on other sites More sharing options...
unmesh Posted May 10, 2014 Share #3 Posted May 10, 2014 What do these firewall rules do to the traffic over the VPN? Thanks. Link to comment Share on other sites More sharing options...
phoenix73 Posted June 16, 2014 Author Share #4 Posted June 16, 2014 these firewall rules protect your NAS from remote connections. When you start an openvpn connection, all ports are opened via tun0. This may explains why some have seen there NAS hacked Link to comment Share on other sites More sharing options...
Recommended Posts