Custom iptables rule
-
souda
- OpenVpn Newbie
- Posts: 2
- Joined: Fri Jan 27, 2023 5:37 pm
Custom iptables rule
When adding a rule to iptables, the rule is overwritten every time the server is updated. is it possible to set an arbitrary iptables rule?
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1185
- Joined: Tue Feb 16, 2021 10:41 am
Re: Custom iptables rule
Hello souda,
Yes, I believe that if you execute this command on the Access Server it will switch behavior to add rules after existing rules, instead of forcing its own rules first. That should allow you to set custom iptables rules. Then when Access Server starts it should keep that rule intact.
Run as root user on your OpenVPN Access Server:
/usr/local/openvpn_as/scripts/sacli --key "iptables.append" --value "true" configput
To undo this setting:
/usr/local/openvpn_as/scripts/sacli --key "iptables.append" configdel
And to apply settings it will probably work with "sacli start" but you may need to restart the openvpnas service.
Kind regards,
Johan
Yes, I believe that if you execute this command on the Access Server it will switch behavior to add rules after existing rules, instead of forcing its own rules first. That should allow you to set custom iptables rules. Then when Access Server starts it should keep that rule intact.
Run as root user on your OpenVPN Access Server:
/usr/local/openvpn_as/scripts/sacli --key "iptables.append" --value "true" configput
To undo this setting:
/usr/local/openvpn_as/scripts/sacli --key "iptables.append" configdel
And to apply settings it will probably work with "sacli start" but you may need to restart the openvpnas service.
Kind regards,
Johan
OpenVPN Inc.Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
souda
- OpenVpn Newbie
- Posts: 2
- Joined: Fri Jan 27, 2023 5:37 pm
Re: Custom iptables rule
The problem ends up being that I need to be able to access client networks that are behind the server.
I write an iptables rule that allows connection to the client, but when updating the settings, this rule is overwritten even with this setting. Is it possible to auto-add a rule when updating the server?
I write an iptables rule that allows connection to the client, but when updating the settings, this rule is overwritten even with this setting. Is it possible to auto-add a rule when updating the server?
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1185
- Joined: Tue Feb 16, 2021 10:41 am
Re: Custom iptables rule
Hello souda,
You should be able to add configuration to the Access Server to allow access to subnets behind the Access Server. Just give your users access to them and the Access Server will add the necessary rules for it. For example to grant this access to all users, go to VPN Settings > Allow access to private subnets > Yes > specify subnets here. Or you can do it per group or per user instead.
The way Access Server works is that you tell Access Server which kind of access you want, and it manages that for you. This also ensures the VPN clients get the necessary routes. If you want to do it another way, then you can turn off iptables management and then you're completely on your own with iptables rules and client routing. If you do that though, you are operating the Access Server in an unsupported way and any issues with iptables rules are your responsibility.
See here for documentation:
https://openvpn.net/vpn-server-resource ... o-iptables
Good luck,
Johan
You should be able to add configuration to the Access Server to allow access to subnets behind the Access Server. Just give your users access to them and the Access Server will add the necessary rules for it. For example to grant this access to all users, go to VPN Settings > Allow access to private subnets > Yes > specify subnets here. Or you can do it per group or per user instead.
The way Access Server works is that you tell Access Server which kind of access you want, and it manages that for you. This also ensures the VPN clients get the necessary routes. If you want to do it another way, then you can turn off iptables management and then you're completely on your own with iptables rules and client routing. If you do that though, you are operating the Access Server in an unsupported way and any issues with iptables rules are your responsibility.
See here for documentation:
https://openvpn.net/vpn-server-resource ... o-iptables
Good luck,
Johan
OpenVPN Inc.Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support