How to OpenVPN firewall rules stick between reboots?

Hi alzhao!

I am using GL-Mifi as an OpenVPN “road warrior” client to my pfSense-based OpenVPN server. It runs the latest “lede-mifi-2.271.bin” firmware. It recognized OpenVPN configuration exported by pfSense instantly. It is set to automatically connect the OpenVPN after boot.

The only issue I have that while I can connect from behind GL-Mifi to any network device behind the pfSense OpenVPN server network in the office, I can only connect from the office to the GL-Mifi and not the devices behind it.

To fix this, I have to modify GL-Mifi’s firewall settings every time it is powered on, by adding “option input ACCEPT” and “option forward ACCEPT” to the VPN_client interface; also to add forward rules between LAN and VPN_client interface.
This makes it work, but the problem is that the firewall rule is lost after re-connect, reboot or power-off.

I need to always re-enter the rules manually.

Is there a way to make the rule survive reboots? Maybe alter the auto-generated rule when OpenVPN connects to automatically contain the forwarding options needed?

Thanks: Robert

What is the reason that these rules must be added? Is there any specific setting of pfSense server?

You can check /usr/bin/setvpnfirewall and /etc/init.d/startvpn and modify the script as your want.

Because I need to see networks behind routers from both directions, not only from GL-Mifi side. Need to see what’s behind GL-Mifi from pfSense side too. Pretty much like here was the issue. Nothing special about pfSense, it’s only special about the way I want to use it, similar like a site-to-site connection.

Thanks for the tip!

In /usr/bin/setvpnfirewall you have to uncomment the last 3 lines in set_vpn_config, and change vpn_zone.forward to ‘ACCEPT’:

All you need is to find the section below and change it from

set_vpn_config() {
            uci set firewall.vpn_zone=zone
            uci set firewall.vpn_zone.name='VPN_client'
            uci set firewall.vpn_zone.input='ACCEPT'
            uci set firewall.vpn_zone.forward='REJECT'
            uci set firewall.vpn_zone.output='ACCEPT'
            uci set firewall.vpn_zone.network='VPN_client'
            uci set firewall.vpn_zone.masq='1'
            uci set firewall.forwarding_vpn1='forwarding'
            uci set firewall.forwarding_vpn1.dest='VPN_client'
            uci set firewall.forwarding_vpn1.src='lan'
    #       uci set firewall.forwarding_vpn2='forwarding'
    #       uci set firewall.forwarding_vpn2.src='VPN_client'
    #       uci set firewall.forwarding_vpn2.dest='lan'
}

to

set_vpn_config() {
        uci set firewall.vpn_zone=zone
        uci set firewall.vpn_zone.name='VPN_client'
        uci set firewall.vpn_zone.input='ACCEPT'
        uci set firewall.vpn_zone.forward='ACCEPT'
        uci set firewall.vpn_zone.output='ACCEPT'
        uci set firewall.vpn_zone.network='VPN_client'
        uci set firewall.vpn_zone.masq='1'
        uci set firewall.forwarding_vpn1='forwarding'
        uci set firewall.forwarding_vpn1.dest='VPN_client'
        uci set firewall.forwarding_vpn1.src='lan'
        uci set firewall.forwarding_vpn2='forwarding'
        uci set firewall.forwarding_vpn2.src='VPN_client'
        uci set firewall.forwarding_vpn2.dest='lan'
}

and the firewall rules will be generated correctly at connection and boot for site-to-site traffic in both directions!!!

Thank you!

(this is not a bug, as most users don’t need it for just remote access, if you don’t use your own OpenVPN server with GL-Mifi, don’t do these mods for security reasons)

I’m running into the same issue with the latest firmware, but I do not see /usr/bin/setvpnfirewall

Is there another place this config is located?

You may need to check the following script, which is more complicated than the older version.

cat /etc/init.d/startvpn

I’m also struggling with firewall rules changing at boot. I have my /etc/config/firewall file set to look like this:

When ovpn disconnects, the ovpn zone and those purple ovpn forwardings go away (thanks to /etc/init.d/startvpn). When the openvpn client it reconnects, they reappear. This works great until a reboot, when my firewall rules get changed to:

You can see there are three changes being made somewhere in the boot process, neither of which are desired. First there is a forwarding rule added to forward lan → wan (I don’t want this, as the other side of the split tunnel, lan_unsec, should go out through wan, while lan should only be able to go out through ovpn). The other undesired change is removal of two reciprocal forwarding rules, allowing both sides of the split tunnel to reach eachother locally, lan → lan_unsec and lan_unsec → lan. These are removed somewhere during the boot process also.

I’ve already removed the lan → wan forwarding in /etc/init.d/startvpn, by doing this:

ovpn_firewall_start() {
set_ovpn_config add
lan2wan_forwarding disable

uci commit firewall
/etc/init.d/firewall reload &
# flush old connecting
echo " " >/proc/net/nf_conntrack
}

ovpn_firewall_stop() {
set_ovpn_config del
lan2wan_forwarding disable

uci commit firewall
/etc/init.d/firewall reload &
}

I’ve also commented out this section from /etc/vpn.user:

# Load default rules
# if [ "$INTERFACE" = "ovpn" ]; then
# # add default rules and force to main table
# [ -z "$(ip route list | grep -E "0.0.0.0/1 (.*) $DEVICE" 2>/dev/null)" ] && {
# ip route add 0.0.0.0/1 dev $DEVICE 2>/dev/null
# ipset add mwan3_connected_v4 0.0.0.0/1 2>/dev/null
# }
# [ -z "$(ip route list | grep -E "128.0.0.0/1 (.*) $DEVICE" 2>/dev/null)" ] && {
# ip route add 128.0.0.0/1 dev $DEVICE 2>/dev/null
# ipset add mwan3_connected_v4 128.0.0.0/1 2>/dev/null
# }
# fi

I’ve tried booting with glfw and firewall_gl both disabled, the changes still happen. Any idea where my firewall config is being overwritten at boot?

1 Like

Well, not the most elegant or efficient solution, but temporarily until I can find what is overwriting my rules at boot, I just saved a static version of my desired firewall config and added the instruction cat /desired_fw_config > /etc/config/firewall to the end of /etc/rc.local. If anyone has details on which process(es) write firewall configurations during boot that I’ve overlooked, I’d be curious to know!

Thanks @alzhao! For those still having this issue also in WIREGUARD, in version 3.105 you have to change the /etc/init.d/wireguard file. Just search for the word “DROP” and replace it by ACCEPT, save the change and the new setting will be persistent.

1 Like