search

peacey / split-vpn

A split tunnel VPN script for Unifi OS routers (UDM, UXG, UDR) with policy based routing.
GNU General Public License v3.0
801 stars 56 forks source link

split-vpn tunnels by default openening UDM Pro listening ports to tunnel traffic #110

Closed Stealthii closed 1 year ago

Stealthii commented 2 years ago

I'm unable to effectively work out exactly where configuration goes awry here, but if I set up an Openconnect tunnel that gets the client address 10.91.1.100/24, all traffic in the remote 10.91.1.0/24 and beyond tunnel is able to access the UDM Pro over SSH, despite no forwards being set up.

The other issue is if I set up a specific port forward using PORT_FORWARDS_IPV4="both-22-10.21.101.25-22", the table gets updated with an "any-any" NAT rule:

Chain VPN4_PREROUTING (1 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:ssh to:10.21.101.25:22
DNAT       udp  --  anywhere             anywhere             udp dpt:ssh to:10.21.101.25:22
DNAT       udp  -- !10.91.1.9           !10.91.1.9            mark match 0x16c udp dpt:domain to:10.91.1.9:53
DNAT       tcp  -- !10.91.1.9           !10.91.1.9            mark match 0x16c tcp dpt:domain to:10.91.1.9:53

This results in all requests going from my network through the tunnel interface, forwarding back to my local IP, and doesn't affect inbound traffic (doing the exact opposite of what I intended)

What is the correct behaviour/configuration here? I wish for:

peacey commented 2 years ago

Hi @Stealthii,

if I set up an Openconnect tunnel that gets the client address 10.91.1.100/24, all traffic in the remote 10.91.1.0/24 and beyond tunnel is able to access the UDM Pro over SSH, despite no forwards being set up.

Are you saying you can access the UDMP over SSH from the OpenConnect subnet clients through the UDM's OpenConnect IP 10.91.1.100 and not on its other IPs? Then, that's to be expected. If you type ss -tulpn | grep ":22", you can see that the UDM's dropbear/SSH server is listening on all IPs (0.0.0.0 or *). So the SSH server will be listening on 10.91.1.100. That's not something we can control since Ubiquiti did that. But you can add firewall rules to block all requests except what you need (see below).

The other issue is if I set up a specific port forward using PORT_FORWARDS_IPV4="both-22-10.21.101.25-22", the table gets updated with an "any-any" NAT rule:

If you check the NAT rule with -S instead of -L like iptables -t nat -S, you can see that the NAT rule is only listening for requests incoming from your VPN interface. 

-A VPN_PREROUTING -i tun0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.21.101.25:22
-A VPN_PREROUTING -i tun0 -p udp -m udp --dport 22 -j DNAT --to-destination 10.21.101.25:22

So you can see that the rule says anything coming in (-i) on tun0 and is going to port 22, then change destination to the internal IP 10.21.101.25:22. So this rule definitely shouldn't be forcing all your network traffic through the VPN tunnel, since it's only for requests coming in from the VPN tunnel.

You control which UDMP networks/clients go through the VPN tunnel in vpn.conf (FORCED_* variables). What does your vpn.conf look like?

  • all traffic coming in from the tunnel to be by default, filtered (no inbound except established)
  • established connections based on my routes to flow through
  • the UDM pro to not use the tunnel itself for any traffic (no multicast pings, discovery traffic)

You will need to add your own custom firewall rules to achieve this behaviour. You can either add them yourself with iptables (automated with this script's up/down hooks), or you can add them via the Unifi GUI (but it is more limited). I can help you craft the rules if you need some guidance.

peacey commented 1 year ago

Hi @Stealthii,

This issue has become stale so I'm closing it, but if you ever have more questions, feel free to re-open!