Just recently I got OpenVPN set up on my WRT54G (w/DD-WRT) to connect to the network at my workplace. However, I noticed that although the vpn tunnel was up, packets weren't traversing it. For a while I thought it was some odd routing issue, but then I realized that the issue was with the firewall config. I just assumed that the firewall config was automatically changed to allow VPN tunnel traffic.
So here's the problem. DD-WRT is meant, on it's face, to be a cutesy interface for average Joes, with some power-user features. I doesn't allow you to set custom firewall rules via the web interface. Furthermore, there's no flat file you can edit within the console to make changes. All configs get regenerated and overwritten on boot. The configuration alterations are actually stored in nvram. To see this data, just ssh to your DD-WRT and enter:
nvram show
Ahh. Brings back memories of configuring SpeedStream routers from scratch. Anyhow... Here's where you can see all the config that the DD-WRT uses to actually generate the volatile standardized conf files that sit in the ramdisk. You can actually see individual configuration variables if you'd like to alter or add to them by hand (instead of by web). For example, this will show you the NAT forwarding config:
nvram get forward_spec
You should see a list of strings showing the NAT config. It's all on one line with options separated by colons (and a ">") and delimited by spaces. That is, assuming you have any NAT entries configured.
But here's the fun part. I have 2 iptables rules that need to be inserted when the system boots to allow the VPN tunnel's traffic to pass:
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
First, check to make sure you don't have any existing config that you may have to add:
nvram get rc_firewall
I can add this to the startup config by sending following commands:
nvram set rc_firewall="iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT"
nvram commit
Copy this into notepad, edit it as you see fit, and paste it into your SSH session. After running them, just reboot to apply the change.
UPDATE 11/17/06: Apparently my habit of making solutions geekier than they have to be has bitten me again. It appears that if you simply browse to Administration > Commands (http://yourrouter/Diagnostics.asp), you can enter the commands there and hit "Save Firewall" to achieve the same effect. Damn. And here I thought I discovered something cool :-)
You must log in to post a comment.