Arno's IPTables Firewall and OpenVPN

One of lifes great time-savers is Arno's IPTables Firewall Script. It usually works perfectly with only the most basic configuration - but it takes a bit of thinking to get OpenVPN to run smoothly. This FAQ contains the little details that most people would otherwise have to dig for.

One of lifes great time-savers is Arno's IPTables Firewall Script. If you've never tried it before you can find it here:

http://rocky.eld.leidenuniv.nl/

Most of the setup for the script is fairly obvious and it generally gets the job done without any hassle. Just take the time to read the notes in the README and the firewall.conf files and you will find everything working smoothly.

But, then, when you try to install OpenVPN, things get a little more complicated. So, mostly as notes to myself, here's what I add to firewall.conf to finish the job:

  1. By default the main internal subnet will be passed to the NAT_INTERNAL_NET parameter - which doesn't work well with OpenVPN. If you ping an external IP from a VPN client you don't get a reply. Dumping traffic on the EXT_IF shows that the client ICMP packets are not NAT'd - so the reply from the external host can't come back.

    The simple solution to this problem is to list all the subnets that might need to NAT through the EXT_IF like this:

    NAT="1"
    NAT_INTERNAL_NET="192.168.1.0/24 192.168.2.0/24"

    This allows the VPN clients to NAT out through the EXT_IF and get a reply.

  2. Make sure you list all trusted internal devices in the TRUSTED_IF parameter, including the same device specified in INT_IF and especially the VPN tunnel devices, like this:

    TRUSTED_IF="eth0 tun+"

  3. OpenVPN can use either TCP or UDP. It can also be configured to use any available port numbers. Therefore you need to check your OpenVPN configuration to find out what you need to open-up in the firewall settings. To do this: make sure you add the port numbers that you need to the OPEN_TCP and OPEN_UDP parameters.

1 Comment

Arno's IPTables Firewall Tutorial

Thank you for such a nice tutorial.

I just wrote a different kind of tutorial on how to set up Arno IPTABLES firewall.
May be it may help someone to setup his own firewall based on IPTABLES.
You can find some examples for a mail server and for a Proxy server using SNAT and port forwarding.
The location of my tutorial is here:

http://cosmolinux.no-ip.org/raconetlinux2/arno_iptables_firewall.html

I wish it is useful to someone.