VPN vs. firewalld on CentOS 7.4

This forum is for general conversation and user-user networking.
Post Reply
taylorkh
OpenVpn Newbie
Posts: 3
Joined: Thu Oct 12, 2017 5:36 pm

VPN vs. firewalld on CentOS 7.4

Post by taylorkh » Thu Oct 12, 2017 5:53 pm

I could not find an exact topic fit so I am taking the liberty to post this question here. I have been discussing this on linuxquestions.org for a couple of weeks but no one seems to really know the answer. The question...

I am running openvpn as a client on a CentOS 7.4 PC connected to my DSL router/modem which is running in transparent bridged mode. That is, the PC gets the Internet IP address from my ISP. A second NIC on the PC is "Shared to other computers" and passes the connection to the rest of my LAN. Works fine.

I connect to the commercial VPN provider thusly from the command line
sudo openvpn --config ~/bin/us-ca-108.protonvpn.com.udp1194.ovpn --auth-user-pass ~/bin/propw
This allows any computer on my LAN to access the Internet via the vendor's exit server. So far, so good.

The PC is running firewalld - the standard Red Hat/CentOS firewall. I have tested the firewall with the VPN disconnected by using ShieldsUP at www.grc.com to scan ports on the PC from the Internet side. The results seem to be giving me a true picture of my firewall. With the VPN connected a similar scan shows results from the firewall on the exit server. This means I cannot test for the answer to my question. Which is...

Does the VPN tunnel dump its traffic outside or inside the firewall? In other words does the encrypted traffic pass through the firewall unmolested or is it decoded before the firewall and thus subject to the rules of the firewall?

TIA,

Ken

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3348
Joined: Fri Jun 03, 2016 1:17 pm

Re: VPN vs. firewalld on CentOS 7.4

Post by TinCanTech » Thu Oct 12, 2017 6:31 pm

You are confused indeed:
taylorkh wrote:
Thu Oct 12, 2017 5:53 pm
(1) Does the VPN tunnel dump its traffic outside or inside the firewall?
The encrypted data must be allowed to pass through your firewall to the openvpn process.
taylorkh wrote:
Thu Oct 12, 2017 5:53 pm
(2) In other words does the encrypted traffic pass through the firewall unmolested
Yes.
taylorkh wrote:
Thu Oct 12, 2017 5:53 pm
(3) or is it decoded before the firewall
No.
taylorkh wrote:
Thu Oct 12, 2017 5:53 pm
(4) and thus subject to the rules of the firewall?
See 1.

Pippin
OpenVPN Expert
Posts: 280
Joined: Wed Jul 01, 2015 8:03 am

Re: VPN vs. firewalld on CentOS 7.4

Post by Pippin » Thu Oct 12, 2017 7:26 pm

Take a look at OpenVPN`s traffic flow diagram:
http://i65.tinypic.com/rlizcg.png

taylorkh
OpenVpn Newbie
Posts: 3
Joined: Thu Oct 12, 2017 5:36 pm

Re: VPN vs. firewalld on CentOS 7.4

Post by taylorkh » Thu Oct 12, 2017 11:17 pm

Thanks for the prompt replies. Yes I am confused - but perhaps not in the way I thought I was confused. I was considering tun0 to be the imaginary tunnel from my PC to the exit server. The diagram is excellent! If I make one slight change - substitute firewalld fror iptables (they are both simply ways to interact with netfilter) it starts to make sense. On my system...

eth0 and tun0 are both in the firewalld "drop" zone. This means that all arriving packets are dropped and not even acknowledged UNLESS
- the specific port/protocol on which the packet arrives is open (none are)
- OR the packet is part of a communication initiated by the system

A packet from the VPN exit server will arrive via eth0 on 1194/udp
The firewall will recognize that this is part of the communication started by the openvpn client
Therefor the packet will pass to openvpn to be decrypted etc.
The decrypted packet will take a second pass through the firewall
For example this might be https traffic on 443/tcp. Even though this port is closed the firewall will recognize this as part of a web page communication initiated by the browser on the system.
And the packet is allowed to pass.

If a wayward packet attempts to enter the system on eht0, the firewall will realize that it is not related to a communication initiated by the system and as there are no open ports in the firewall the packet will be zapped.

If a malcontent gains access to the exit server and tries to send a bad packet my way he might be able to spoof the packet as being part of my openvpn communication. This packet might make it through the firewall the first time on 1194/udp. Once decrypted the bad packet will attempt to enter the system from tun0 by on whatever port/protocol it has been created. As there is no ongoing communication related to this packet it will be zapped.

If that is the way things work I am a happy camper.

Again, many thanks for the prompt replies and the excellent diagram.

Ken

taylorkh
OpenVpn Newbie
Posts: 3
Joined: Thu Oct 12, 2017 5:36 pm

Re: VPN vs. firewalld on CentOS 7.4

Post by taylorkh » Thu Oct 12, 2017 11:20 pm

If preview had worked I would have corrected a couple of obvious typos. Sorry.

Ken

Pippin
OpenVPN Expert
Posts: 280
Joined: Wed Jul 01, 2015 8:03 am

Re: VPN vs. firewalld on CentOS 7.4

Post by Pippin » Fri Oct 13, 2017 11:20 am

it starts to make sense
Exactly why I made the diagram together with some devs.
Again, many thanks for the prompt replies and the excellent diagram.
Welcome.

Post Reply