Which ports to unblock for VPN traffic to pass-through?

RRAS based VPN server is behind a firewall

  • For PPTP:
    • IP Protocol=TCP, TCP Port number=1723   <- Used by PPTP control path
    • IP Protocol=GRE (value 47)   <- Used by PPTP data path
  • For L2TP:
    • IP Protocol Type=UDP, UDP Port Number=500    <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500   <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=ESP (value 50)   <- Used by IPSec data path
  • For SSTP:
    • IP Protocol=TCP, TCP Port number=443   <- Used by SSTP control and data path
  • For IKEv2:
    • IP Protocol Type=UDP, UDP Port Number=500    <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500   <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=ESP (value 50)   <- Used by IPSec data path

RRAS server is directly connected to Internet

 

  • For PPTP:
    • IP Protocol=TCP, TCP Port number=1723  <- Used by PPTP control path
    • IP Protocol=GRE (value 47)  <- Used by PPTP data path
  • For L2TP:
    • IP Protocol Type=UDP, UDP Port Number=500   <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=1701  <- Used by L2TP control/data path
    • IP Protocol Type=50  <- Used by data path (ESP)
  • For SSTP:
    • IP Protocol=TCP, TCP Port number=443   <- Used by SSTP control and data path
  • For IKEv2:
    • IP Protocol Type=UDP, UDP Port Number=500   <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=1701  <- Used by L2TP control/data path
    • IP Protocol Type=50 <- Used by data path (ESP)

 

Sending e-mail with GMail on Entware-ng Asus routers

It’s possible to send emails even from Gmail account through openssl, first we need to download a trusted certificate:

wget -c -O /jffs/configs/Equifax_Secure_Certificate_Authority.pem http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem --no-check-certificate

And a example:

#!/bin/sh
FROM="your-gmail-address"
AUTH="your-gmail-username"
PASS="your-gmail-password"
FROMNAME="Your Router"
TO="your-email-address"

echo "Your friendly router." >>/tmp/mail.txt
echo "" >>/tmp/mail.txt

cat /tmp/mail.txt | sendmail -H"exec openssl s_client -quiet \
-CAfile /jffs/configs/Equifax_Secure_Certificate_Authority.pem \
-connect smtp.gmail.com:587 -tls1 -starttls smtp" \
-f"$FROM" \
-au"$AUTH" -ap"$PASS" $TO 

rm /tmp/mail.txt

TP-LINK WR702N Wi-Fi router default password

During the design phase someone had the forethought to make a WiFi AP password that isn’t merely a default. But that’s where this went off the rails. They did the next worst thing, which is to assign a password that gets broadcast publicly: the last eight characters of the MAC address. This will be unique for each device, but it is also promiscuously broadcast to any device that cares to listen.

Use arp-scan to find hidden devices in your network

If you have a device that is on the same network but not responding to any requests such as ping, HTTP, HTTPS etc…

Installation:

apt-get install arp-scan

Scan it:

arp-scan --interface=eth0 --localnet

Here, –interface=eth0 represents the interface to use for scanning, and –localnet makes arp-scan scan all possible IP addresses on the network. You can omit the –interface option, in which case arp-scan will search the system interface list for the lowest numbered, configured up interface.

Minimal IPTABLES config for SOHO routers

If the br0 is LAN port, and the eth0.101 is a WAN port (and 10.10.1.0 inside):

iptables -A INPUT -i br0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.10.1.0/24 -i br0 -j ACCEPT
iptables -A FORWARD -d 10.10.1.0/24 -i eth0.101 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0.101 -j MASQUERADE
iptables -P INPUT DROP
iptables -P FORWARD DROP

If you want to allow SSH from the WAN port (nope, but, you did remember to set a strong password, right?), you can use the following command to open up port 22 from the WAN interface:

iptables -A INPUT -i eth0.101 -p tcp -m tcp --dport 22 -j ACCEPT

If all OK, save config:

Edit /etc/network/if-pre-up.d/iptables file:

#!/bin/sh
iptables-restore --counters < /etc/iptables/rules.v4
exit 0

Mod for run, and save tables:

chmod 755 /etc/network/if-pre-up.d/iptables
mkdir -p /etc/iptables
iptables-save > /etc/iptables/rules.v4