Linux – OpenVPN with iptables and a tun interface

iptableslinuxopenvpntun

With an openvpn tunnel that uses a tun device, what iptables rules allow the encapsulated traffic through and what rules control the packets after encapsulation? Basically, I am wondering how the order of operations works with iptables and openvpn as well as how this relates to the chains.

Best Answer

Plaintext traffic will go in and out of the tunX devices; you may find the -i tun+ and -o tun+ options to iptables, which match any tun interface, useful in handling that.

Encrypted traffic will be UDP/TCP on port 1194, or otherwise, as you have specified, on your ethernet interface. When filtering traffic into the server, don't forget to allow the OpenVPN encrypted packets.

And as for chains, encrypted traffic coming in is considered to terminate on the openvpn server, so that's the INPUT chain; encrypted traffic leaving is considered to have originated on the server, so that's the OUTPUT chain. Traffic passing between your internal network and the tunX interfaces is the responsibility of the FORWARD chain.

Related Solutions

Linux – Why doesn’t TUN device have BROADCAST flag

The key to this is the fact that it's "POINTTOPOINT" ... Your machine directly connects to the remote side, and any actual broadcasts must be generated by your remote end. Sure, if you send a packet to the broadcast address, your remote end will surely pass it on, and will also pass any packets sent to the broadcast address back to you.

In contrast, if you had multiple workstations plugged directly into a switch, your machine could send a broadcast, and it wouldn't require any gateway to re-transmit that broadcast to the other peers.

OpenVPN – How to Firewall the Tun Interface with Iptables

i think this just means that once you have the tap/tun device up, with an IP, you want to then firewall it, so as to prevent connections from the remote LAN to which your vpn is connected...

on my mac, i have:

utun0: flags=80d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1418<br>
inet 10.17.225.17 --> 10.17.225.17 netmask 0xfffffe00

as i do not have firewalling in place (on purpose), anyone on the remote lan could connect to ports i have open on my machine. so, for example, it may be "appropriate" to block incoming tcp/80 from remote LAN. on linux that would look something like:

iptables -A INPUT -i tun0 -p tcp --dport 80 -j DROP

Best Answer

Related Solutions

Linux – Why doesn’t TUN device have BROADCAST flag

OpenVPN – How to Firewall the Tun Interface with Iptables

Related Topic