On my OpenVPN server on my Ubuntu VPS, I regularly update lists from sites like https://lists.blocklist.de/lists/all.txt into my fail2ban scripts which put DROP entries into my iptables, so I thought this might be a good way of also protecting OpenVPN clients.
However, this does not seem to work. I picked a few IPs that are in my DROP list in my server iptables, e.g., `iptables -w -L -v -n`, and my clients that use my OpenVPN server can still access those IPs in their browsers. My clients use headers like:
client
dev tun
proto udp
remote XXX.XXX.XXX.XXX
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
TLS certs are used, etc.
how to add malware dns file to OpenVPN server via iptables?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
Ingber
- OpenVpn Newbie
- Posts: 16
- Joined: Wed Sep 24, 2014 3:05 am
-
Ingber
- OpenVpn Newbie
- Posts: 16
- Joined: Wed Sep 24, 2014 3:05 am
Re: how to add malware dns file to OpenVPN server via iptables?
Note that I already have the `push` line in my server.conf:
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: how to add malware dns file to OpenVPN server via iptables?
See man iptables -t table for the different tables and what they do ..
FAIL2BAN is not going to help at all with your clients access to the internet.
FAIL2BAN is not going to help at all with your clients access to the internet.
-
Ingber
- OpenVpn Newbie
- Posts: 16
- Joined: Wed Sep 24, 2014 3:05 am
Re: how to add malware dns file to OpenVPN server via iptables?
TinCanTech:
I've been using scripts modeled after https://gist.github.com/klepsydra/ecf975984b32b1c8291a to populate iptables. Note that these scripts do not really use fail2ban, but rather are an independent method of creating and maintaining these tables. As the author states,
## Actually, runs 100% independently now, without needing fail2ban installed.
Do you mean that using iptables will not work for my purposes, i.e., to maintain a malware bases for client OpenVPN using my OpenVPN server?
Are you saying that I should use "-t nat" or "-t security" for this purpose?
Thanks for your reply.
I've been using scripts modeled after https://gist.github.com/klepsydra/ecf975984b32b1c8291a to populate iptables. Note that these scripts do not really use fail2ban, but rather are an independent method of creating and maintaining these tables. As the author states,
## Actually, runs 100% independently now, without needing fail2ban installed.
Do you mean that using iptables will not work for my purposes, i.e., to maintain a malware bases for client OpenVPN using my OpenVPN server?
Are you saying that I should use "-t nat" or "-t security" for this purpose?
Thanks for your reply.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: how to add malware dns file to OpenVPN server via iptables?
What I am saying is .. we do not know anything about your iptables rules 
-
Ingber
- OpenVpn Newbie
- Posts: 16
- Joined: Wed Sep 24, 2014 3:05 am
Re: how to add malware dns file to OpenVPN server via iptables?
Hi. I just gave an explicit reference to the rules.