Jump to content
Not connected, Your IP: 52.87.176.39
zdrifter

Preventing DNS leaks DD-WRT router client

Recommended Posts

Well the things in THIS
(https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=2353&limit=6&limitstart=6&Itemid=142)
posting did not work as far as I can tell. So I did some more work and:

FIRST THIS APPLIES to an OpenVPN client on a DD_WRT router NOT to the client on a PC.

It is helpful to be able to telnet to the router and issue commands in this way. The notes below are done by telnet.

 

EDIT: Please note if you use the last entry above in the firewall (iptables -I OUTPUT -o br0 ! --dst a.b.c.d -j DROP) you will lose access to the router. Thus if the tunnel goes down ...well you know. So you may want to leave this entry off the GUI and if/when you are set up properly and then run it from the telnet prompt. That way if you need router access you can reboot and be OK.


First determine the router interface(s).
the command is netstat -r
On the far right of the output interfaces are listed.

In my case I was using iptables for the tun0 interface .... the interface on the router is tun1 .. !!

so the firewall commands needed to look like this:

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -I OUTPUT -o br0 ! --dst a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects
# the above line can be duplicated for as many Air servers as you wish to connect to, just insert the appropriate Air server entry-IP

Fill a.b.c.d with the remote server ip in your air.ovpn file

After running these (you may want to run iptables -F first to flush previous) with YOUR interfaces determined from above, save the firewall and REBOOT.

Then after reboot telnet again and run the command
ps
This will tell if Openvpn started .. in my case the start is unreliable. If OpenVPN is not running try this command

(sleep 30 && (ps | grep openvpn | grep -v grep || openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down /tmp/openvpncl/route-down.sh --daemon))&

This will check if it is running and if not will start the client.

Now you can use the ps command to check and after then check your connection to AirVPN. You can also check the iptables with the command netstat -vnL.

Hope this is helpful to some and saves some work/head scratching.

Comments on the above very welcome, Cheers

EDIT: Please note if you use the last entry above in the firewall (iptables -I OUTPUT -o br0 ! --dst a.b.c.d -j DROP) you will lose access to the router. Thus if the tunnel goes down ...well you know. So you may want to leave this entry off the GUI and if/when you are set up properly and then run it from the telnet prompt. That way if you need router access you can reboot and be OK.

Also this start-up command (enter in Admin>Command window and save start-up) seems to insure the client runs ..

sleep 60
(sleep 30 && (ps | grep openvpn | grep -v grep || openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down /tmp/openvpncl/route-down.sh --daemon))&

It takes longer to connect but seems to do so each time correctly.

Share this post


Link to post
Guest ergolon

Hello zdrifter,

hello admin,

thanks for your kind support.

I just tried to setup my Cisco Linksys E2000 (DD-WRT v24-sp2 (04/07/12) mega SVN revision 18946M NEWD-2 K2.6 Eko) following your instructions.

First I followed the regular DD-WRT instructions (https://airvpn.org/ddwrt/). Worked just fine and connected to the SE Serpentis server right away.

Then I tried to follow the instructions in this thread. The first four rules...

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT

iptables -I FORWARD -i tun1 -o br0 -j ACCEPT

iptables -I INPUT -i tun1 -j REJECT

iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

... are working just fine. And...

sleep 60

(sleep 30 && (ps | grep openvpn | grep -v grep || openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down /tmp/openvpncl/route-down.sh --daemon))&

... in the start-up actually does make ovenvpn run every single time. Great.

But whenever I add the last firewall rule...

iptables -I OUTPUT -o br0 ! --dst 178.248.30.131 -j DROP

... via SSH, the router becomes completely unusable. I know that access to the router is supposed to break down, but so does the internet connection and everything else. And after about 3 Minutes my MacBook even looses it´s IP. The last resort is to power off my router and reboot.

Any ideas on that? If you need any more information please tell me, I´d be glad to assist.

Thanks a lot!

ergolon

Share this post


Link to post

I am interested in implementing this rule:

iptables -I OUTPUT -o br0 ! --dst a.b.c.d -j DROP

Except not for the entire interface, but only a subnet (192.168.1.1/25 to be exact)

I am using policy based routing to have 192.168.1.1/25 route through the VPN and 192.168.1.128/25 route through my ISP. So, all clients from .1 to .127 are VPN and all cients from .128 to .254 are not.

If I add the above rule, my non-VPN clients packets are dropped as well (and I lose access to the router as well, which I think I should be able to prevent with a bit different rule).

Cheers!

Share this post


Link to post

I haven't had time to test this yet, but this is the rule I've come up with that I think should work:

iptables -I OUTPUT -s 192.168.1.0/25 ! --dst a.b.c.d -j DROP

Where a.b.c.d is the VPN server obviously.

I was also thinking...could we not add a line like:

iptables -I OUTPUT -o br0 ! --dst 192.168.1.1 -j DROP

so LAN clients can access the router? (If 192.168.1.1 is the router IP, that is)

Share this post


Link to post

Hmmm, just like Ergolon above when I add the output rule top prevent leaks my router hangs and I lose all access to everything, internet included. Adding my modified rule for just a subnet causes the same kind of hanging behavior.

Are we certain that the syntax for those rules is correct? I can't find a good resource that shows how to properly use a not (!) in an IPTABLES rule.

I have been struggling to figure out IPTABLES for ages and it's one of those things that is still over my head. Any ideas to get this working would be greatly appreciated.

Cheers!

Share this post


Link to post

Just a note:

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

Are NOT required UNLESS you want to do port forwarding.

I still cannot get my router not to hang when adding the rule to prevent leaks though. The DD-WRT community so far hasn't helped, but it's only been a day.

I'll report back here anything I find out about that rule and this build (18946)

Share this post


Link to post

I have had no luck preventing leaks, the firewall rule as written in post #1 hangs my router when I run it.

I've tried a few other things as well, but nothing seems to work.

I'm tempted to run the VPN client manually and build my own routes, but that's more work than I have time for right now.

Share this post


Link to post

Hi, I'm having the same issue with that last line. It kills my router. I have trawled the web and can't find a solution to block all traffic when not connected to VPN. Does anyone have a solution please?

Share this post


Link to post

I'm having the same problem, the final line seems to break all connections on the DDWRT router.

Since the DDWRT device I'm using is not my primary gateway (its dedicated to this VPN connection), is it possible to switch the device to "router" and define static routes in the GUI? perhaps there is another way to prevent leaks?

Share this post


Link to post

This works, you lose isp connection if openvpn got disconnected. But it did not prevemt dns leaks while openvpn running.

If you guys find something easy, let us know. I'll look also.

Hello!

You could try to force 10.4.0.1 as first DNS server in your router.

[EDIT] Oh yes, you already did it, glad to know it solved the problem, thank you!

Kind regards

Share this post


Link to post
Guest rbj

None of the above rules work for my two router system.

Here's what I have: Modem>router one (local isp) > router two (AirVPN). I must put this rule for router two to talk to router one: iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT. Once I add any more rules I am not able to access router one from router two. Hence the internet doesn't drop in case of a VPN disconnect.

I thought I put this out to the community in hopes of getting an answer or at least some direction. More brains are better than one

Thanks all.

Share this post


Link to post

Hi All 

 

I would appreciate some feedback on a solution I have ended up with for preventing DNS leaks as I am not sure how appropriate it is.

 

I am running 2 routers, a modem router connected to my ISP and a second router running DD-WRT with openVPN to connect to AirVPN. 

With this set up we have 2 wireless networks available, a standard connection and a VPN connection. (some sites are still better to connect to without VPN that are https)

 

After checking for DNS leaks and still seeing my ISP, my first option was to set the modem router to the DNS server 10.4.0.1 which stopped the DNS leaks, but meant the non-VPN connection didnt work.

 

Having reverted back to letting the non-VPN connection use another DNS server i have added the following to my ipTable commands:

 

iptables -t nat -A PREROUTING -i br0 -p udp --dport 443 -j DNAT --to $(nvram get lan_ipaddr)

 

I got this code from http://www.dd-wrt.com/wiki/index.php/OpenDNS and changed the port to what i have set up when creating my config file.

When using the VPN connection and checking for DNS leaks, it now does not show my ISP as long as I have a secondary DNS in my DD-WRT router.

 

I have used 10.5.0.1 as my secondary DNS but am not sure if this is appropriate as it has it for TPC connections.

 

Also as I have not used ipTables before I am not sure how appropriate the code is or if what I have done has any pitfalls.

 

Is there a better secondary DNS server to use and is this iptable coding ok?

 

Thank you for any help.

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...