How to secure openvpn?

[aholak]

Hi,

I have xen vps installed with openvpn. How can I configure vpn for just only openvpn usage. Only I will connect to the server via udp port.

I edited my iptables by reading this article : topic7722.html

After I execute the script, I connected to my server via openvpn gui(windows 7) then I started firefox but could not open ANY webpages.I think my server can not reach internet because of new firewall rules.

How can I configure my firewall?
If there is more ways to secure my vps, can you recommend me?

Thanks

[aholak]

Anyone for help?

[Douglas]

If you are redirecting all traffic, did you put all your nat rules in place?

Show us configs, iptables -L -t nat also

[aholak]

If you are redirecting all traffic, did you put all your nat rules in place?

Show us configs, iptables -L -t nat also

I added my firewall rules from this topic topic7722.html(did not change anything)

What is nat rules? Are they different from these rules?

iptables -L:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp dpt:openvpn
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:ACK/ACK
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain dpts:1024:65535
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     udp  --  anywhere             anywhere            udp dpts:33434:33523

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (0 references)
target     prot opt source               destination

iptables -L -t nat:

Code: Select all

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.8.0.0/24          anywhere

[Douglas]

OK - the masquerade rule is there indeed. Hrmm...

Can you ping google.com when you connect? What about an IP on the internet?

[aholak]

I realised that after changing from iptables -P INPUT DROP to iptables -P INPUT ACCEPT solving issue.


Is changing to ACCEPT bad method?


Edit.

After the change, I can now ping to google.com with average 250ms and pinged also some other websites which was fine.

[venus]

Nice post. This was really useful for me.