LOGO

Protect Your VPN with DD-WRT - Network Security

March 28, 2012
Topics:FeaturesHardwareMaintenance & Optimization
Protect Your VPN with DD-WRT - Network Security

Securing VPN Services with Wake-on-LAN

Previously, we demonstrated a method for initiating Wake-on-LAN (WOL) remotely through "Port Knocking" configured on your router.

This article details how to leverage this capability to enhance the security of a VPN service.

Understanding the Security Benefit

By integrating WOL with your VPN setup, you can significantly reduce the attack surface exposed to potential threats.

The core principle involves keeping the VPN server in a powered-off state until a secure connection attempt is detected.

How it Works

Instead of having the VPN server constantly running and listening for connections, it remains off by default.

When a VPN connection is initiated, the port knocking sequence triggers the server to power on via WOL.

This ensures that the VPN service is only active when needed, minimizing the window of opportunity for attackers.

Implementation Steps

  • Configure your router for port knocking, as outlined in the previous article.
  • Set up your VPN server to support WOL. This typically involves BIOS and operating system settings.
  • Ensure the port knocking sequence is correctly linked to the WOL magic packet transmission.
  • Test the setup thoroughly to confirm reliable activation of the VPN server upon connection request.

Advantages of this Approach

This method offers several key advantages:

  • Reduced Attack Surface: The VPN server is offline most of the time, making it a less attractive target.
  • Energy Savings: Powering off the server when not in use conserves energy.
  • Enhanced Security: Adds an extra layer of protection against unauthorized access.

Image courtesy of Aviad Raviv and bfick.

Implementing this strategy provides a proactive security measure for your VPN service, utilizing the power of Wake-on-LAN and Port Knocking.

Securing VPN Access with Port Knocking

Individuals familiar with DD-WRT’s integrated VPN features, or those operating a separate VPN server on their network, may find value in bolstering its security against brute-force attacks. This can be achieved by implementing a port knocking sequence as a preliminary access control measure.

This method effectively filters out less sophisticated attackers attempting unauthorized network access. However, it’s crucial to remember, as highlighted previously, that port knocking should not be considered a substitute for robust passwords and comprehensive security protocols.

Despite its benefits, an attacker with sufficient time and resources could potentially discover and replicate the knock sequence, compromising its effectiveness.

Considerations for Implementation

A key aspect to understand is that implementing port knocking requires VPN clients to initiate the knock sequence before attempting a connection. If a client is unable to successfully complete this sequence, VPN access will be denied.

Therefore, careful consideration must be given to the potential impact on legitimate users and their ability to reliably connect to the VPN.

Understanding the Trade-offs

  • Enhanced Security: Port knocking adds a layer of obfuscation, making brute-force attacks more difficult.
  • Usability Impact: Requires an extra step for VPN clients, potentially causing connection issues.
  • Not a Panacea: It's a supplementary security measure, not a replacement for strong passwords and policies.

Security is paramount, but it should be balanced with user experience. A well-configured system will prioritize both.

Securing Your VPN Service

Protecting your VPN service requires initially preventing unauthorized connections. This is accomplished by blocking the default port used for instantiation, which is 1723. We will utilize iptables to achieve this, as it’s the standard method for filtering network traffic on most Linux and GNU-based systems, including DD-WRT.

For detailed information regarding iptables, consult its official wiki documentation. Additionally, a prior article on our site provides further insights into its functionality.

Implementing Port Knocking

After securing the service, a knock sequence will be implemented. This sequence will briefly open the VPN instantiation port on demand.

The port will automatically close after a predetermined duration, ensuring ongoing security while maintaining active VPN sessions.

VPN Type Flexibility

This guide uses PPTP as a demonstration. However, the same principles can be applied to other VPN protocols.

Simply adjust the blocked port and communication method to match the specific VPN type you are using.

Key Considerations

  • iptables is crucial for network traffic control.
  • The knock sequence provides temporary access.
  • Automatic port closure enhances security.
  • This method is adaptable to various VPN types.

Understanding Prerequisites, Assumptions, and Recommendations

Successful implementation necessitates an Opkg-enabled DD-WRT router. Prior completion of the steps detailed in the "How To Knock Into Your Network (DD-WRT)" guide is also a prerequisite. A foundational understanding of networking principles is assumed for optimal comprehension.

Let's proceed with the configuration.

The Default "Block new VPNs" Rule in DD-WRT

The provided "code" snippet is likely to function effectively on any Linux/GNU distribution utilizing iptables, however, this guide will focus specifically on DD-WRT due to the variety of configurations available. Implementing this directly on the VPN server is also possible, though outside the scope of this document.

To enhance the router’s Firewall, we will add to the existing "Firewall" script. This ensures the iptables command is executed each time the firewall is refreshed, persistently maintaining our modifications.

Access the configuration through DD-WRT's Web-GUI:

  • Navigate to "Administration" then "Commands".
    how-to-knock-into-your-network-part-2-protect-your-vpn-dd-wrt-1.jpg
  • Input the following code into the text box:
    inline="$( iptables -L INPUT -n | grep -n "state RELATED,ESTABLISHED"  | awk -F : {'print $1'} )"; inline=$(($inline-2+1)); iptables -I INPUT "$inline" -p tcp --dport 1723 -j DROP
  • Select "Save Firewall".
  • The process is now complete.

Decoding the Command

The command performs the following actions:

  • It identifies the iptables line that permits established connections. This is crucial because, on DD-WRT routers with an enabled VPN service, the VPN rule will be positioned immediately below this line.
  • It is vital to our objective of allowing existing VPN sessions to remain active following the knocking event.
  • The command subtracts two from the output of the listing command to compensate for the informational column headers. Subsequently, one is added to the result, ensuring the new rule is inserted directly after the rule allowing established connections.

KnockD Configuration Details

A new triggering sequence must be created to enable the establishment of new VPN connections. To achieve this, edit the knockd.conf file using a terminal:

vi /opt/etc/knockd.conf

Append the following configuration to the existing file:

[enable-VPN]sequence = 02,02,02,01,01,01,2010,2010,2010seq_timeout = 60start_command = iptables -I INPUT 1 -s %IP% -p tcp --dport 1723 -j ACCEPTcmd_timeout = 20stop_command = iptables -D INPUT -s %IP% -p tcp --dport 1723 -j ACCEPT

This configuration will:

  • Establish a 60-second window for completing the sequence. (A shorter duration is recommended for enhanced security.)
  • Monitor for a specific sequence of knocks on ports 2, 1, and 2010. The order is intentionally designed to deter port scanners.
  • Upon sequence detection, the "start_command" is executed. This iptables command inserts a rule at the top of the firewall, accepting traffic destined for port 1723 originating from the knocking IP address. The %IP% directive is dynamically replaced by KnockD with the source IP address.
  • A 20-second delay precedes the execution of the "stop_command".
  • The "stop_command" reverses the action of the "start_command", removing the rule that permits communication.

With this configuration, your VPN service will now only be accessible after a successful "knock".

Additional Tips from the Author

Should you encounter issues, remember to consult the "troubleshooting" section of the initial article as a first step.

Consider these additional points:

  • The "start/stop" directives can execute multiple commands separated by semicolons (;), or even a script, enabling advanced functionality.
  • For instance, Knockd can be configured to send an email notification upon sequence detection, indicating the source IP address.
  • Explore StavFX's Android knocker program for a convenient mobile solution.
  • Many Android devices include a built-in PPTP VPN client.
  • The principle of initially blocking and then allowing established communication applies to various TCP-based protocols.

Note: Implementing email functionality on your router may be challenging due to issues with the OpenWRT opkg package repository. Utilizing Knockd directly on the VPN server provides access to a wider range of email options, such as SSMTP and sendEmail.

Who Disturbs My Slumber?

#VPN#DD-WRT#network security#VPN protection#network knocking#security