How to configure external firewall to allow OpenVPN tunnel?

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
as
OpenVpn Newbie
Posts: 5
Joined: Wed Oct 26, 2011 7:37 pm

How to configure external firewall to allow OpenVPN tunnel?

Post by as » Wed Dec 05, 2012 9:45 pm

So I have my local computer successfully connecting to a remote OpenVPN server. I'm using OpenVPN to route all my traffic through the tunnel out the other side.

I am now adding a dd-wrt router to act as a firewall to ensure than ONLY traffic destined for my VPN-server IP is passed through. My current approach to this is to add these two rules to the router's firewall:

Code: Select all

# Drop all traffic going out the WAN port
iptables -I FORWARD -o vlan1 -j DROP

# Only allow traffic to the VPN (x.x.x.x = remote server IP)
iptables -I FORWARD -o vlan1 -d x.x.x.x -j ACCEPT
If I add these rules AFTER the OpenVPN connection is already established, then everything works as expected.

However, if I add these rules BEFORE the OpenVPN is established, then OpenVPN is unable to connect, so clearly I need to add/allow something else through the firewall, but I can't fathom what it is. Any tips?

bartels
OpenVpn Newbie
Posts: 10
Joined: Tue Dec 04, 2012 3:24 pm

Re: How to configure external firewall to allow OpenVPN tunn

Post by bartels » Fri Dec 07, 2012 11:59 am

so clearly I need to add/allow something else through the firewall, but I can't fathom what it is. Any tips?
Your question is really about iptables, not openvpn

From your description, it is not obvious what goes wrong.
However, your ordering of the rules seems peculiar to me.

Have you inspected the active rule set (iptables -nL) and tried logging?

bartels

as
OpenVpn Newbie
Posts: 5
Joined: Wed Oct 26, 2011 7:37 pm

Re: How to configure external firewall to allow OpenVPN tunn

Post by as » Fri Dec 07, 2012 5:45 pm

So I was trying this with a friends OpenVPN set up. Then I set up my own for testing and my original plan worked fine. Then I ran on the orig setup with some logging and found another IP that was attempting to be accessed (for some reason). After adding a rule for that IP, everything is working now.

archgrant
OpenVpn Newbie
Posts: 1
Joined: Mon Dec 10, 2012 6:56 am
Location: Norwich

Re: How to configure external firewall to allow OpenVPN tunn

Post by archgrant » Mon Dec 10, 2012 7:00 am

Good that it worked so well with you!!

ISDN30

Post Reply