Closed Stealthii closed 1 year ago
Hi @Stealthii,
if I set up an Openconnect tunnel that gets the client address 10.91.1.100/24, all traffic in the remote 10.91.1.0/24 and beyond tunnel is able to access the UDM Pro over SSH, despite no forwards being set up.
Are you saying you can access the UDMP over SSH from the OpenConnect subnet clients through the UDM's OpenConnect IP 10.91.1.100 and not on its other IPs? Then, that's to be expected. If you type ss -tulpn | grep ":22"
, you can see that the UDM's dropbear/SSH server is listening on all IPs (0.0.0.0 or *). So the SSH server will be listening on 10.91.1.100. That's not something we can control since Ubiquiti did that. But you can add firewall rules to block all requests except what you need (see below).
The other issue is if I set up a specific port forward using PORT_FORWARDS_IPV4="both-22-10.21.101.25-22", the table gets updated with an "any-any" NAT rule:
If you check the NAT rule with -S instead of -L like iptables -t nat -S
, you can see that the NAT rule is only listening for requests incoming from your VPN interface.
-A VPN_PREROUTING -i tun0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.21.101.25:22
-A VPN_PREROUTING -i tun0 -p udp -m udp --dport 22 -j DNAT --to-destination 10.21.101.25:22
So you can see that the rule says anything coming in (-i) on tun0 and is going to port 22, then change destination to the internal IP 10.21.101.25:22. So this rule definitely shouldn't be forcing all your network traffic through the VPN tunnel, since it's only for requests coming in from the VPN tunnel.
You control which UDMP networks/clients go through the VPN tunnel in vpn.conf (FORCED_* variables). What does your vpn.conf look like?
- all traffic coming in from the tunnel to be by default, filtered (no inbound except established)
- established connections based on my routes to flow through
- the UDM pro to not use the tunnel itself for any traffic (no multicast pings, discovery traffic)
You will need to add your own custom firewall rules to achieve this behaviour. You can either add them yourself with iptables (automated with this script's up/down hooks), or you can add them via the Unifi GUI (but it is more limited). I can help you craft the rules if you need some guidance.
Hi @Stealthii,
This issue has become stale so I'm closing it, but if you ever have more questions, feel free to re-open!
I'm unable to effectively work out exactly where configuration goes awry here, but if I set up an Openconnect tunnel that gets the client address 10.91.1.100/24, all traffic in the remote 10.91.1.0/24 and beyond tunnel is able to access the UDM Pro over SSH, despite no forwards being set up.
The other issue is if I set up a specific port forward using
PORT_FORWARDS_IPV4="both-22-10.21.101.25-22"
, the table gets updated with an "any-any" NAT rule:This results in all requests going from my network through the tunnel interface, forwarding back to my local IP, and doesn't affect inbound traffic (doing the exact opposite of what I intended)
What is the correct behaviour/configuration here? I wish for:
PORT_FORWARDS_IPV4