Custom iptables rule

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
souda
OpenVpn Newbie
Posts: 2
Joined: Fri Jan 27, 2023 5:37 pm

Custom iptables rule

Post by souda » Fri Jan 27, 2023 6:16 pm

When adding a rule to iptables, the rule is overwritten every time the server is updated. is it possible to set an arbitrary iptables rule?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Custom iptables rule

Post by openvpn_inc » Fri Jan 27, 2023 6:59 pm

Hello souda,

Yes, I believe that if you execute this command on the Access Server it will switch behavior to add rules after existing rules, instead of forcing its own rules first. That should allow you to set custom iptables rules. Then when Access Server starts it should keep that rule intact.

Run as root user on your OpenVPN Access Server:
/usr/local/openvpn_as/scripts/sacli --key "iptables.append" --value "true" configput

To undo this setting:
/usr/local/openvpn_as/scripts/sacli --key "iptables.append" configdel

And to apply settings it will probably work with "sacli start" but you may need to restart the openvpnas service.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

souda
OpenVpn Newbie
Posts: 2
Joined: Fri Jan 27, 2023 5:37 pm

Re: Custom iptables rule

Post by souda » Sat Jan 28, 2023 10:04 pm

The problem ends up being that I need to be able to access client networks that are behind the server.
I write an iptables rule that allows connection to the client, but when updating the settings, this rule is overwritten even with this setting. Is it possible to auto-add a rule when updating the server?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Custom iptables rule

Post by openvpn_inc » Mon Jan 30, 2023 11:55 am

Hello souda,

You should be able to add configuration to the Access Server to allow access to subnets behind the Access Server. Just give your users access to them and the Access Server will add the necessary rules for it. For example to grant this access to all users, go to VPN Settings > Allow access to private subnets > Yes > specify subnets here. Or you can do it per group or per user instead.

The way Access Server works is that you tell Access Server which kind of access you want, and it manages that for you. This also ensures the VPN clients get the necessary routes. If you want to do it another way, then you can turn off iptables management and then you're completely on your own with iptables rules and client routing. If you do that though, you are operating the Access Server in an unsupported way and any issues with iptables rules are your responsibility.

See here for documentation:
https://openvpn.net/vpn-server-resource ... o-iptables

Good luck,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply