Linux PC acting as router - eth0 (wan), eth1 (lan), tun0 (vpn) - Are my iptable rules secure?

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
jdoe87
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 02, 2018 9:18 pm

Linux PC acting as router - eth0 (wan), eth1 (lan), tun0 (vpn) - Are my iptable rules secure?

Post by jdoe87 » Thu Aug 02, 2018 9:25 pm

I built a linux pc that is acting as a router and is directly connected to the internet. It has the following network interfaces: eth0 (WAN), eth1 (LAN), tun0 (openVPN). All traffic should go through the tun0 VPN connection (this includes both the router's internal traffic and all traffic from LAN). OpenVPN port is 48000.

I wrote some basic IPTable rules and everything seems to work: http://termbin.com/2vqj7

I'm not sure if these iptable rules are secure enough or if it can be simplified. Could someone review it?

This is the topology I want:

Code: Select all

     Internet
	|
        |
     VPN (tun0)
       |
       |
   PC Router (eth0)
       |
     LAN (eth1)

PingPong
OpenVPN User
Posts: 14
Joined: Sun Jul 29, 2018 2:01 pm

Re: Linux PC acting as router - eth0 (wan), eth1 (lan), tun0 (vpn) - Are my iptable rules secure?

Post by PingPong » Sun Aug 12, 2018 10:56 am

You drop all FORWARDs, but then FORWARD everything from outside to inside:

Code: Select all

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
Why not just forward the needed port for OpenVPN?

To be sure that your system is secured as it should be, think about a port scan (Zenmap) over all ports and all protocols. Providers don't like that. So disconnect eth0 from the internet, connect it to some switch and run the port scan from some other computer also connected to the switch.

That likely will be the only way to be really sure whats going on.

Greetz
Martin

Post Reply