I have VPN access using OpenVPN and try to create a safe machine that does not leak traffic over non-VPN interfaces.
Using the firewall UFW I try to achieve the following:
- Allow Access from LAN to the machine's web-interface
- Otherwise only allow Traffic on tun0 (OpenVPN-Tunnel interface when established)
- Reject (or forward?) any traffic over other interfaces
Currently I am using the following rules (sudo ufw status):
To Action From
-- ------ ----
192.168.42.11 9999/tcp ALLOW Anywhere # allow web-interface
Anywhere on tun0 ALLOW Anywhere # out only thru tun0
Anywhere ALLOW OUT Anywhere on tun0 # in only thru tun0
My problem is that the machine is initially not able to establish the OpenVPN-connection since only tun0 is allowed, which is not yet established (chicken-egg-problem)
How do I allow creating the OpenVPN connection and from this point onward force every single packet to go thru the VPN-tunnel?
Best Answer
Allow access by service application. I don't have an OpenVPN box available at the moment, but I think you should be able to allow access based with a command such as:
You can see if you can use open VPN like this by running:
Which will show those service applications which ufw is aware of.
In the case of no OpenVPN profile, you could try using ufw to only allow outbound connections on that interface to port 1194 (or whatever port the OpenVPN server is accepting connections on.) Something like:
(assuming a stock OpenVPN setup.)
This wouldn't limit it to just OpenVPN...but the only leak possibility would be something else using that port and UDP....and the chances of that are pretty low.
To get more secure that port filtering, you would have to use something more substantial than ufw. AppArmor or SELinux, I believe, would be your next step, without having to step up to true Layer 7 firewall appliances.