Secure openVPN using IPTABLES
- by bob franklin smith harriet
Hey,
I setup an openVPN server and it works ok.
The next step is to secure it, I opted to use IPTABLES to only allow certain connections through but so far it is not working.
I want to enable access to the network behind my openVPN server, and allow other services (web access), when iptables is disabaled or set to allow all this works fine, when using my following rules it does not.
also note, I already configured openVPN itself to do what i want and it works fine, its only failing when iptables is started.
Any help to tell me why this isnt working will appreciated here.
These are the lines that I added in accordance with openVPN's recommendations, unfortunately testing these commands shows that they are requiered, they seem incredibly insecure though, any way to get around using them?
# Allow TUN interface connections to OpenVPN server
-A INPUT -i tun+ -j ACCEPT
#allow TUN interface connections to be forwarded through other interfaces
-A FORWARD -i tun+ -j ACCEPT
# Allow TAP interface connections to OpenVPN server
-A INPUT -i tap+ -j ACCEPT
# Allow TAP interface connections to be forwarded through other interfaces
-A FORWARD -i tap+ -j ACCEPT
These are the new chains and commands i added to restrict access as much as possible unfortunately with these enabled, all that happens is the openVPN connection establishes fine, and then there is no access to the rest of the network behind the openVPN server
note I am configuring the main iptables file and I am paranoid so all ports and ip addresses are altered, and -N etc appears before this so ignore that they dont appear.
and i added some explanations of what i 'intended' these rules to do, so you dont waste time figuring out where i went wrong :
4
#accepts the vpn over port 1192
-A INPUT -p udp -m udp --dport 1192 -j ACCEPT
-A INPUT -j INPUT-FIREWALL
-A OUTPUT -j ACCEPT
#packets that are to be forwarded from 10.10.1.0 network (all open vpn clients) to the internal network (192.168.5.0) jump to [sic]foward-firewall chain
-A FORWARD -s 10.10.1.0/24 -d 192.168.5.0/24 -j FOWARD-FIREWALL
#same as above, except for a different internal network
-A FORWARD -s 10.10.1.0/24 -d 10.100.5.0/24 -j FOWARD-FIREWALL
# reject any not from either of those two ranges
-A FORWARD -j REJECT
-A INPUT-FIREWALL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT-FIREWALL -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT-FIREWALL -j REJECT
-A FOWARD-FIREWALL -m state --state RELATED,ESTABLISHED -j ACCEPT
#80 443 and 53 are accepted
-A FOWARD-FIREWALL -m tcp -p tcp --dport 80 -j ACCEPT
-A FOWARD-FIREWALL -m tcp -p tcp --dport 443 -j ACCEPT
#192.168.5.150 = openVPN sever
-A FOWARD-FIREWALL -m tcp -p tcp -d 192.168.5.150 --dport 53 -j ACCEPT
-A FOWARD-FIREWALL -m udp -p udp -d 192.168.5.150 --dport 53 -j ACCEPT
-A FOWARD-FIREWALL -j REJECT
COMMIT
now I wait :D
