i have openvpn client config, with route-nopull and i add routes from a script with route add -net 10.8.0.0/24 dev tun0 and on the server I have client-to-client and specify static ips with client-config-dir
I have found that ufw was messing up my config, so I am trying with traditional iptables rules. with the below rules, everything works as desired, except that I am wide open on the internet.
Code: Select all
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s EXTERNALIP/32 -o enp0s20f0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1002 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1002 -j ACCEPT
-A OUTPUT ! -s EXTERNALIP/32 -o enp0s20f0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1003 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1003 -j ACCEPT
-A OUTPUT ! -s EXTERNALIP/32 -o enp0s20f0 -j REJECT --reject-with icmp-port-unreachable
Code: Select all
-A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
-A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT
-A INPUT -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
-A OUTPUT -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A INPUT -i eth0 -j DROP
I have tried iptables -P INPUT DROP with the same effect, and many other variables - it prevents 1194 access from eth0