With an openvpn tunnel that uses a tun device, what iptables rules allow the encapsulated traffic through and what rules control the packets after encapsulation? Basically, I am wondering how the order of operations works with iptables and openvpn as well as how this relates to the chains.
Linux – OpenVPN with iptables and a tun interface
iptableslinuxopenvpntun
Best Answer
Plaintext traffic will go in and out of the tunX devices; you may find the
-i tun+
and-o tun+
options to iptables, which match any tun interface, useful in handling that.Encrypted traffic will be UDP/TCP on port 1194, or otherwise, as you have specified, on your ethernet interface. When filtering traffic into the server, don't forget to allow the OpenVPN encrypted packets.
And as for chains, encrypted traffic coming in is considered to terminate on the openvpn server, so that's the INPUT chain; encrypted traffic leaving is considered to have originated on the server, so that's the OUTPUT chain. Traffic passing between your internal network and the
tunX
interfaces is the responsibility of the FORWARD chain.