Page 1 of 1
How to secure openvpn?
Posted: Mon Feb 25, 2013 1:22 pm
by aholak
Hi,
I have xen vps installed with openvpn. How can I configure vpn for just only openvpn usage. Only I will connect to the server via udp port.
I edited my iptables by reading this article :
topic7722.html
After I execute the script, I connected to my server via openvpn gui(windows 7) then I started firefox but could not open ANY webpages.I think my server can not reach internet because of new firewall rules.
How can I configure my firewall?
If there is more ways to secure my vps, can you recommend me?
Thanks
Re: How to secure openvpn?
Posted: Mon Feb 25, 2013 6:01 pm
by aholak
Anyone for help?
Re: How to secure openvpn?
Posted: Mon Feb 25, 2013 7:25 pm
by Douglas
If you are redirecting all traffic, did you put all your nat rules in place?
Show us configs, iptables -L -t nat also
Re: How to secure openvpn?
Posted: Mon Feb 25, 2013 7:44 pm
by aholak
Douglas wrote:If you are redirecting all traffic, did you put all your nat rules in place?
Show us configs, iptables -L -t nat also
I added my firewall rules from this topic
topic7722.html(did not change anything)
What is nat rules? Are they different from these rules?
iptables -L:
Code: Select all
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp dpts:33434:33523
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (0 references)
target prot opt source destination
iptables -L -t nat:
Code: Select all
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.8.0.0/24 anywhere
Re: How to secure openvpn?
Posted: Mon Feb 25, 2013 7:51 pm
by Douglas
OK - the masquerade rule is there indeed. Hrmm...
Can you ping google.com when you connect? What about an IP on the internet?
Re: How to secure openvpn?
Posted: Mon Feb 25, 2013 7:53 pm
by aholak
I realised that after changing from iptables -P INPUT DROP to iptables -P INPUT ACCEPT solving issue.
Is changing to ACCEPT bad method?
Edit.
After the change, I can now ping to google.com with average 250ms and pinged also some other websites which was fine.
Re: How to secure openvpn?
Posted: Mon Mar 04, 2013 6:38 am
by venus
Nice post. This was really useful for me.