Secure openVPN using IPTABLES
Posted
by bob franklin smith harriet
on Server Fault
See other posts from Server Fault
or by bob franklin smith harriet
Published on 2010-02-18T02:04:09Z
Indexed on
2010/04/01
16:03 UTC
Read the original article
Hit count: 329
Hey,
I setup an openVPN server and it works ok.
The next step is to secure it, I opted to use IPTABLES to only allow certain connections through but so far it is not working.
I want to enable access to the network behind my openVPN server, and allow other services (web access), when iptables is disabaled or set to allow all this works fine, when using my following rules it does not.
also note, I already configured openVPN itself to do what i want and it works fine, its only failing when iptables is started.
Any help to tell me why this isnt working will appreciated here.
These are the lines that I added in accordance with openVPN's recommendations, unfortunately testing these commands shows that they are requiered, they seem incredibly insecure though, any way to get around using them?
# Allow TUN interface connections to OpenVPN server
-A INPUT -i tun+ -j ACCEPT
#allow TUN interface connections to be forwarded through other interfaces
-A FORWARD -i tun+ -j ACCEPT
# Allow TAP interface connections to OpenVPN server
-A INPUT -i tap+ -j ACCEPT
# Allow TAP interface connections to be forwarded through other interfaces
-A FORWARD -i tap+ -j ACCEPT
These are the new chains and commands i added to restrict access as much as possible unfortunately with these enabled, all that happens is the openVPN connection establishes fine, and then there is no access to the rest of the network behind the openVPN server
note I am configuring the main iptables file and I am paranoid so all ports and ip addresses are altered, and -N etc appears before this so ignore that they dont appear.
and i added some explanations of what i 'intended' these rules to do, so you dont waste time figuring out where i went wrong :>
4 #accepts the vpn over port 1192 -A INPUT -p udp -m udp --dport 1192 -j ACCEPT -A INPUT -j INPUT-FIREWALL -A OUTPUT -j ACCEPT #packets that are to be forwarded from 10.10.1.0 network (all open vpn clients) to the internal network (192.168.5.0) jump to [sic]foward-firewall chain -A FORWARD -s 10.10.1.0/24 -d 192.168.5.0/24 -j FOWARD-FIREWALL #same as above, except for a different internal network -A FORWARD -s 10.10.1.0/24 -d 10.100.5.0/24 -j FOWARD-FIREWALL # reject any not from either of those two ranges -A FORWARD -j REJECT -A INPUT-FIREWALL -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT-FIREWALL -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT-FIREWALL -j REJECT -A FOWARD-FIREWALL -m state --state RELATED,ESTABLISHED -j ACCEPT #80 443 and 53 are accepted -A FOWARD-FIREWALL -m tcp -p tcp --dport 80 -j ACCEPT -A FOWARD-FIREWALL -m tcp -p tcp --dport 443 -j ACCEPT #192.168.5.150 = openVPN sever -A FOWARD-FIREWALL -m tcp -p tcp -d 192.168.5.150 --dport 53 -j ACCEPT -A FOWARD-FIREWALL -m udp -p udp -d 192.168.5.150 --dport 53 -j ACCEPT -A FOWARD-FIREWALL -j REJECT COMMIT
now I wait :D
© Server Fault or respective owner
