Openvpn Firewalling with firewallbuilder

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.
Post Reply
OpenVPN User
Posts: 17
Joined: Fri Mar 02, 2012 2:40 am

Openvpn Firewalling with firewallbuilder

Post by terrorfrog » Fri Mar 02, 2012 3:28 am


i want to share some things maybe usefull for someone.
Be aware this is a high level post - so i do not explain basics

1. Firewall on Linux - use the right tool
More than once i read all those iptable lines in forums - looks like people dont really firewall much otherwise i cant understand why you ever wanna make your rules manually
rate of error grows exponentionally with number of rules.

So recommend - do not code yourself line by line in addition do not use anything which create any kind of iptables for you - libvirt for example wanna do it by default if you use "nat" option - toghether with openvpn you stand there and think wtf is going on .... untraceable errors you may get

I personally use firewallbuilder which is opensource and free for linux (but it does cost for mac and windows)
the following is based on fwbuilder - i dont wanna advertise any comapny here but its the only real option to configure iptables on that complex level even across multple hosts

2. your netconfig
I know many people using "ifup" and "ifdown" scripts. as i mentioned above - on a server avoid automatic configs if possible - im also not a friend of a firewall rules that uses ifup /down scripts - so many things that can go wrong - many things that can go wrong sometimes and never be traceable

keep it simple as possible
keep it static if possible
this includes tun/tap for openvpn also bridges for virtualisation
configure them in your interfaces so all you got is there as soon networks is loaded
do not use network manager if possible

the advantage is you can make a firewallsetup which is independed of the current state of a daemon
for example - if you let openvpn create the tun adapter your firewall maybe loaded bevore ovpn - which will result on an error because the interface does not exist

is see no reason for dynamic tun/tap adapter on a server so configure it static to avoid iptabel problems

2.trace your errors
simple trick (of course you can do it by command line too)
when you setup / and / or trace problems
simpyl create one rules each interface on top of your policies

Code: Select all

Source - any
Destination - any
Service - any
Interface - explicit interface of your host each rule one
direction - both
action - continue
options - log
With that little rule you can "tail -f /var/log/syslog" and see in realtime whats going on
it also helps to set loggin on all other rules too just for solving the issue
thsi together with ovpn log options should make you able to trace almost all possible issues - except the following

3. NAT
NAT config can be a weird error source
because it may pass all your firewallrules fine but the error is at nat - its very hard to find one

example error.
virtualhost with
host ovpn
ovpn client

host outsideips : - main ip - ip for nat

virtualhost has some natrules like:
from ...100.200 to - port 80 (forward for http)
but also a nat out rule to have the correct outgoing ip like
source to any - translate source

Result PING with openvpn:
ovpn client to host - OK
ovpn client to Virtualhost - OK
Host to vhost - OK
VHOST to Host - OK
VHOST to ovpnclient - NOT OK

In this case the error was the nat out rule
not interface out specified - result was nat translated every request from vhost to the outside ip as soon as it leaves the host (actually it happend to me because i deleted an interface and forgot to insert the new one oups)

this was jsut an example for small nat config mistakes of course it wont help you in most of your cases
just saying check your nat and bridging config 10 times very closely
the error above was a very tough one because you could not see anything in the logs

it was also so tough because looking at the ping results it really looks like an client error / firewall whatever

of course cou couldhave this error also with mutltiple ovpn networks boudn together
best thing you can do to find em is to make a firewall on each node even if its only for logging because traceroute just tell you where is something wrong but not exactly what happens in there

4. Clients with firewalls - specially linux server
in case you want several linux server in you ovpn network you NEED to configure them static
not only give em a static IP with the clients-config-dir

also simply configure the tun/tap interface manually
otherwise you may run someday into the error mentions on point - your firewall is loaded but die cleint isnt

do not forget - only loading the firewall as last service doesnt solve anything - its just risky -
for exampel
risky: you boot - network loaded - another daemon later has some issues - booting takes way longer as expected - no firewall untill full boot is there -

problem: you boot - network is loaded - ovpn cant reach its server - timeout - firewall wanna load - fail in some cases

5. why no ifup ifdowns
as i said bevore i dont like them
specially when you have a server with openvpn its very liekly you need a lot of rules
some of em globally (without ovpn) some of em with ovpn - its really not possible to manage 4+ interfaces
if you really wanna secure them but have to split them in ifup eth0 ifup tun0 ...

ok thats it for the moment my 2cent
Last edited by Mimiko on Mon Mar 12, 2012 10:58 am, edited 1 time in total.
Reason: fw - stands for firewall, firware, etc.

Post Reply