Header Shadow Image

«
»

Asus – AC68U , OSPF, DD-WRT, OpenVPN, F/W, r40854

Despite a few quirks, I wanted to post some highlights ( success story ) of using the r40854 firmware for the Asus AC68U and some of DD-WRT's capabilities with this firmware.  Took some time to try this with various firmware versions and this appears the most stable combination so far:

    OSPF works
    VPN Works, but only if configured manually.
        3 Issues:
                CA Cert can't be saved through UI.  Simply disappears when saving or applying.
                Network can't be saved through UI.  Simply disappears when saving or applying.
                TLS ta.key  has wrong permissions.  Fixing manually appears to be persistently changed through reboots.
    tcpdump works
    

Since OSPF works, pairing up with other Asus AC68U routers running OSPF or even other Cisco
routers such as Cisco 3750G or Cisco WS-C4948-10GE switches that run OSPF works perfectly.


Would be great to have these in the latest release for the firmware for the Asus-AC68U:

    Cron not working.  Need to use an external host with passless SSH keys to execute something periodically. 
    Fully working VPN settings page:  Fix saving CA cert and Network.  (Won't start without these features.)
    OSPF working as it does in this r40854.
    tcpdump works in this r40854 firmware.  Doesn't in others I've tried (see my earlier posts).  
    

Conclusion:

Both of my Asus AC68U is running this version and are set to OSPF Router instead of Gateway or simply Router.  I never want to go back to the previous setup.  It gives me the best network performance while supporting multiple VLANs for my equipment to isolate network noise.  Strongly recommend OSPF over Gateway.  

OSPF Config

!
! Zebra configuration saved from vty
!   2019/12/13 08:12:53
!
frr version 7.1
frr defaults traditional
!
hostname DD-WRT-INTERNET-ASUS
domainname 
log file /jffs/ospf/ospf.log
!
# debug ospf ism
# debug ospf nsm
# debug ospf lsa
# debug ospf zebra
# debug ospf nssa
# debug ospf packet all
!
!
!
!
router ospf
 ospf router-id 192.168.0.100
 log-adjacency-changes
 network 192.168.0.0/24 area 0
!
line vty
!

ZEBRA Config

!
! Zebra configuration saved from vty
!   2019/12/13 08:12:53
!
frr version 7.1
frr defaults traditional
!
hostname DD-WRT-INTERNET-ASUS
domainname 
!
!
!
!
!
!
!
line vty
!


FIREWALL Rules for OSPF / Zebra


# ———————-
# OSPF Port for exchanging routing database information.
# ———————-
iptables -A INPUT -p 89 -j ACCEPT
iptables -A OUTPUT -p 89 -j ACCEPT
# ———————-
# ICMP – Allow ICMP TYPE 0 – Echo reply from outside.
# ———————-
iptables -A INPUT -p icmp –icmp-type 3 -s $(nvram get wan_ipaddr) -d $(nvram get wan_ipaddr) -m state –state ESTABLISHED,RELATED -j ACCEPT

# ———————-
# ICMP – Allow ICMP TYPE 0 – Echo reply from outside.
# ———————-
iptables -A INPUT -p icmp –icmp-type 0 -d $(nvram get wan_ipaddr) -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT


# ———————————–
# NAT Rules (from Gateway Config)
# Needed for web access.  
# ———————————–
iptables -t nat -I POSTROUTING -s 192.168.45.0/24 -j SNAT –to $(nvram get wan_ipaddr)
iptables -t nat -I POSTROUTING -s 192.168.75.0/24 -j SNAT –to $(nvram get wan_ipaddr)
iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT –to $(nvram get wan_ipaddr)                    # Per VLAN
iptables -t nat -I POSTROUTING -s 10.10.0.0/24 -j SNAT –to $(nvram get wan_ipaddr)
iptables -t nat -I POSTROUTING -s 10.20.0.0/24 -j SNAT –to $(nvram get wan_ipaddr)
iptables -t nat -I POSTROUTING -s 10.30.0.0/24 -j SNAT –to $(nvram get wan_ipaddr)
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -j SNAT –to $(nvram get wan_ipaddr)
iptables -t nat -I POSTROUTING -m mark –mark 0x80000000/0x80000000 -j MASQUERADE

# ———————-
# ICMP – 10.0.0.X
# ———————-
iptables -A INPUT -p icmp –icmp-type 0 -s 10.0.0.0/24 -d 192.168.0.0/24 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type 0 -s 192.168.0.0/24 -d 10.0.0.0/24 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp –icmp-type 8 -s 10.0.0.0/24 -d 192.168.0.0/24 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type 8 -s 192.168.0.0/24 -d 10.0.0.0/24 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp –icmp-type 3 -s 10.0.0.0/24 -d 192.168.0.0/24 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type 3 -s 192.168.0.0/24 -d 10.0.0.0/24 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT


VPN Specific F/W Rules

# ———————-
# VPN Specific
# ———————-
iptables -A INPUT -p tcp –dport 11194 -j ACCEPT
iptables -A INPUT -p udp –dport 11194 -j ACCEPT
iptables -A OUTPUT -p tcp –dport 11194 -j ACCEPT
iptables -A OUTPUT -p udp –dport 11194 -j ACCEPT

iptables -A INPUT -s 10.1.1.0/24 -d 192.168.0.0/24 -dport 443 -j ACCEPT
iptables -A OUTPUT -d 10.1.1.0/24 -s 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 1 -p tcp –-dport 11194 -j ACCEPT
iptables -I FORWARD 1 –-source 10.1.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE


VPN Specific Configuration

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 11194
proto tcp4-server
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /jffs/etc/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
push "redirect-gateway def1"
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth-nocache
tcp-nodelay
tun-mtu 1500
mtu-disc yes
server 10.1.1.0 255.255.255.0
dev tun2
tls-auth /tmp/openvpn/ta.key 0
push "dhcp-option DNS 192.168.0.150"
push "dhcp-option DNS 192.168.0.151"
push "dhcp-option DNS 192.168.0.152"
push "route 192.168.0.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
push "route 10.10.0.0 255.255.255.0"
push "route 10.20.0.0 255.255.255.0"
push "route 10.30.0.0 255.255.255.0"

OpenVPN Client Config ( Windows 10 )

# cat client.ovpn  | grep -Ev ";|#" | sed -e "/^$/d"
client
dev tun2
proto tcp
remote access.mysite.com 11194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert TomK.crt
key TomK.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 3
auth-nocache

UI VPN Config Page:

https://i0.wp.com/www.microdevsys.com/WordPressImages/OpenVPN-GUI-Configuration-Page.JPG?ssl=1

Masquerade Configuration for the above page:

expand-hosts
interface=br0,tun2
listen-address=127.0.0.1,192.168.0.100,10.1.1.1

https://i0.wp.com/www.microdevsys.com/WordPressImages/OpenVPN-GUI-Masquerade-Configuration-Page.JPG?ssl=1

The rest of the VPN configuration is pretty much exactly what you find on the official page:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795

CRONTAB (Remote Linux host, DD-WRT cron isn't working for me right now. )


# DD-WRT

# Block WEB traffic by MAC after a certain time.
*/10 * * * * scp -P 22022 /root/bin/rested.sh root@192.168.0.100:/jffs/; ssh -P 22022 root@192.168.0.100 "chmod 750 /jffs/rested.sh; /jffs/rested.sh";

# Reboot the router everyday near 5AM.
57 4 * * * ssh -P 22022 root@192.168.0.100 "startservice run_rc_shutdown; /sbin/reboot";

# VPN UI saving issue workaround.
* * * * * scp -P 22022 /root/bin/openvpn-conf.sh root@192.168.0.100:/jffs/; ssh root@192.168.0.100 -p 22022 "chmod 750 /jffs/openvpn-conf.sh; /jffs/openvpn-conf.sh; grep -Ei vpn /var/log/messages";


Block WEB traffic by device MAC ( parental controls – guess it sucks to have a dad who knows IT. ) :


# cat /root/bin/rested.sh
#!/bin/ash
#
# This scripts connects to the primary house router and executes blocking iPad's, TV's and Kids Laptops from accessing youtube.com
#
# Block youtube.com (ex).
#
#
# nslookup       172.217.1.174
# Name:      172.217.1.174
# Address 1: 172.217.1.174 yyz10s04-in-f14.1e100.net
#
# Name:      172.217.2.174
# Address 1: 172.217.2.174 yyz10s06-in-f14.1e100.net
#
# REF: http://io.sivuduuni.biz/block-youtube-with-iptables/
#
#

CHAIN="youtube.com";
CDATE=$(date +"%H%M%S");
MOI=$(basename $0);
TSTART=210000;
TSTOP=125959;
CDAY=$(date +%A);
DCOND=0;
DOW="Monday Tuesday Wednesday Thursday Friday";
# DOW="Sunday Monday Tuesday Wednesday Thursday Friday Saturday";
DESTIPL="172.217.2.174 172.217.2.174 172.217.0.0/16";
MACLIST="B4:1C:FF:59:95:13 A4:8D:3B:FF:55:A3 C4:1C:FF:F9:3C:C2 35:1D:FF:F9:9F:8E 78:34:BF:C7:9C:7E 01:71:CC:68:A2:1B F9:A9:61:72:4E:C5 40:C2:30:73:D6:9F B8:86:CD:D7:87:37 68:86:DD:D7:47:A8 38:B5:C7:32:8C:54 78:A5:B7:32:3C:B8";

# Alternate reject line.
CREJECT="-m state –state ESTABLISHED -j REJECT –reject-with icmp-port-unreachable;";

# DROP and ADD flag.  Indicates if a block already ran and skips future iterations.
FLAGF="/tmp/added-$MOI";

# Properly decipher the range between days.
if [[ $TSTART -gt $TSTOP ]]; then
        [[ $CDATE -gt $TSTART || $CDATE -lt $TSTOP ]] && DCOND=1;
else
        [[ $CDATE -gt $TSTART && $CDATE -lt $TSTOP ]] && DCOND=1;
fi

if [[ $DCOND -eq 1 ]] && echo "$DOW" | grep "$CDAY" 2>/dev/null; then

        if [[ ! -r $FLAGF ]]; then

                # Setup a chain that forwards all traffic from given MAC addresses to the named CHAIN.
                if ! iptables -nL $CHAIN; then
                        iptables -N $CHAIN;
                fi

                # FORWARD all listed MAC addresses to the named CHAIN;
                for MAC in $MACLIST; do
                        iptables -A FORWARD -m mac –mac-source $MAC -j $CHAIN;
                done;

                for IP in $DESTIPL; do
                        iptables -A $CHAIN -d $IP -j DROP;
                        iptables -A $CHAIN -s $IP -j DROP;
                done
                touch $FLAGF;
        else
                echo "No Action.  The provided IP's are already blocked.";
        fi

else

        if [[ -r $FLAGF ]]; then
                for IP in $DESTIPL; do
                        iptables -D $CHAIN -d $IP -j DROP;
                        iptables -D $CHAIN -s $IP -j DROP;
                        iptables -F $CHAIN;
                        iptables -X $CHAIN;
                done

                # FORWARD all listed MAC addresses to the named CHAIN;
                for MAC in $MACLIST; do
                        iptables -D FORWARD -m mac –mac-source $MAC -j $CHAIN;
                done;
                rm -f $FLAGF;
        else
                echo "No Action.  The provided IP's are already unblocked.";
        fi
fi

OpenVPN Code to configure and start OpenVPN Server on the DD-WRT router:

# cat /root/bin/openvpn-conf.sh

#!/bin/sh

/bin/cp /jffs/openvpn.conf /tmp/openvpn/
/bin/cp /jffs/ca.crt /tmp/openvpn/

if ps | grep -Ei "openvpn\.con[Ff]" 1>/dev/null 2>&1; then
        if ! grep "OpenVPN server is running" /var/log/messages; then
                echo $(date)" OpenVPN server is running." >> /var/log/messages;
        fi
else
        echo "No VPN running.  Starting a new instance.";
        openvpn –config /tmp/openvpn/openvpn.conf –up /tmp/openvpn/route-up.sh –down /tmp/openvpn/route-down.sh –daemon -v –mode server ;
fi

 

Cheers,
IM

Important Notes: The above is not 100% refined.  Tweaks and issues are certainly possible.  Please keep this in mind.

This entry was posted on Monday, December 30th, 2019 at 1:13 pm and is filed under NIX Posts. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.

     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License