add source IP of VPN client to trusted_ip address list in /ip firewall

acypkob · October 10, 2016, 12:49pm

What is the best way to add source IP of VPN client to trusted_ip address list in /ip firewall?
Should I run script every minute to do this? Does GOD forbid MikroTik’s scheduler to run script on successful VPN login event? … or maybe I’ve missed somthing?

acypkob · October 10, 2016, 12:52pm

I am trying to invent somethig like this

> :put [:foreach N in=[/ppp active find where uptime>0] do={/ppp active get $N value-name=caller-id}]
;37.140.66.96

but still it is all disgusting, why there isn’t autofilled address-list of success VPN clients source IP?

che · October 10, 2016, 1:34pm

I had similar dilemma, and decided to go with solution where I call a script when any VPN client connects.

First I’ve added event in VPN profile where script runs when any client connects:

/ppp profile set vpn on-up="/system script run vpn-on_connect"

This is “vpn-on_connect” script that’s been called by mentioned routine:

:delay delay-time=3

:global pptpCount [interface pptp-server print count-only]
:global ovpnCount [interface ovpn-server print count-only]

:if ($ovpnCount != 0) do {
	:foreach i in=[/interface ovpn-server find] do={
		:global clientNameOVPN [/interface ovpn-server get $i name]       
		:global clientAddrOVPN [/interface ovpn-server get $i client-address]
		/ip firewall address-list add list=vpn_whitelist address=$clientAddrOVPN comment=$clientNameOVPN
	}
}

:if ($pptpCount != 0) do {
	:foreach i in=[/interface pptp-server find] do={
		:global clientNamePPTP [/interface pptp-server get $i name]       
		:global clientAddrPPTP [/interface pptp-server get $i client-address]
		/ip firewall address-list add list=vpn_whitelist address=$clientAddrPPTP comment=$clientNamePPTP
	}
}

The script checks for active PPTP and OVPN clients and adds their source IPs to the whitelist. I’ve put variables to be global so it’s easier to troubleshoot (via system/scripts/evironment), but you can have those as local as well.

acypkob · October 10, 2016, 3:32pm

very interesting, but on my 6.27 there is no such thing like vpn “on-ip=”

che · October 10, 2016, 4:42pm

Just upgrade the board to current RouterOS, 6.27 was out in February 2015 and there were a lot of new features and fixes implemented since then. And if you don’t want to upgrade, just use my script and schedule it to run on whatever interval you think is fine.

acypkob · October 11, 2016, 9:20am

yes, thanks … but I’ll do it later since I am 300+ km away of the board and if something goes wrong during update?

acypkob · January 29, 2017, 3:31pm

guess we need same thing for ssh logins also … (if ssh login was successful add source IP to trusted_ips for some time)