OpenVPN Support Forum

On my OpenVPN server on my Ubuntu VPS, I regularly update lists from sites like https://lists.blocklist.de/lists/all.txt into my fail2ban scripts which put DROP entries into my iptables, so I thought this might be a good way of also protecting OpenVPN clients.

However, this does not seem to work. I picked a few IPs that are in my DROP list in my server iptables, e.g., `iptables -w -L -v -n`, and my clients that use my OpenVPN server can still access those IPs in their browsers. My clients use headers like:

client
dev tun
proto udp
remote XXX.XXX.XXX.XXX
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3

TLS certs are used, etc.

Note that I already have the `push` line in my server.conf:

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"

See man iptables -t table for the different tables and what they do ..

FAIL2BAN is not going to help at all with your clients access to the internet.

TinCanTech:

I've been using scripts modeled after https://gist.github.com/klepsydra/ecf975984b32b1c8291a to populate iptables. Note that these scripts do not really use fail2ban, but rather are an independent method of creating and maintaining these tables. As the author states,
## Actually, runs 100% independently now, without needing fail2ban installed.

Do you mean that using iptables will not work for my purposes, i.e., to maintain a malware bases for client OpenVPN using my OpenVPN server?

Are you saying that I should use "-t nat" or "-t security" for this purpose?

Thanks for your reply.

What I am saying is .. we do not know anything about your iptables rules

Hi. I just gave an explicit reference to the rules.