There is a really helpful article in the documentation which describes the setup of bridging for OpenVPN: https://openvpn.net/index.php/open-sour ... dging.html
My configuration is very similar:
- There is a machine which is located between WAN and LAN
- It acts as an iptables-based firewall, but also has OpenVPN installed to allow VPN access for external users
- The physical interface that connects the machine to the internet is called eth0, the interface that connects the machine to the LAN is called eth1
The article mentioned above says the following:
1.)Now set up the Linux firewall to permit packets to flow freely over the newly created tap0 and br0 interfaces:
Code: Select all
iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT
First of all, I'm a bit confused by the two rules regarding the INPUT-chain. Why is it necessary to allow tap0 and br0 on the INPUT-chain? Of course the INPUT-chain is important for allowing clients to connect to the VPN server on port 1194, but this should happen via the physical external interface, like this:
Code: Select all
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
2.)
My second question is about the third rule mentioned in the article:
Code: Select all
iptables -A FORWARD -i br0 -j ACCEPT
If yes, is there a way to write it a bit more restrictive? Since there is only the "-i" option specified but no "-o" option, packets could go everywhere if I'm not wrong. But I only want to allow acces to the LAN located behind eth1 (there are some other LANs behind further network interfaces which are not important in this scenario, but VPN traffic shoulnd't be able to go there).
So which FORWARD-rules do I need to allow only acces to the LAN behind eth1?
Thank you!
edit:
Or in other words: the FORWARDING-rules in my routing-scenario are quite simple:
Code: Select all
iptables -A FORWARD -i tun0 -o eth1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth1 -o tun0 -m state --state NEW -j ACCEPT