[Firewall] Arno's script and openVPN

Lonnie Abelbeck lists at lonnie.abelbeck.com
Mon Mar 16 15:29:41 CET 2015


Hi Jānis,

With regard to OpenVPN and AIF, I personally treat the OpenVPN subnet as an additional LAN.

Assume the OpenVPN subnet is 10.8.0.0/255.255.255.0 using tun0
--
add "tun0" to the AIF variable: INT_IF

add "10.8.0.0/24" to the AIF variable: INTERNAL_NET

if NAT=1, add "10.8.0.0/24" to the AIF variable: NAT_INTERNAL_NET

if you want the OpenVPN subnet to NOT be isolated from perhaps an internal "eth1" LAN, add "tun0 eth1" to the AIF variable: IF_TRUSTS
--
That is all that is necessary for AIF integration of OpenVPN.

Lonnie



On Mar 16, 2015, at 3:13 AM, Jānis <je at ktf.rtu.lv> wrote:

> Dear all,
> 
> I am trying to figure out how to best organize openVPN access fro the wilderness.
> Currently i have a virtual machine set up for this having respective port forward on the router (protected by Arno's script).
> 
> I am still  not decided whether to keep it as is or to move openVPN to the router.
> In order to have openVPN working, I have the following iptables rules set up on the VM (10.8.0.0/24 being the virtual network for the outside users):
> 
> iptables -v -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
> iptables -v -A INPUT -s 10.8.0.0/24 -j ACCEPT
> iptables -v -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -v -A FORWARD -i tun0 -o eth0 -j ACCEPT
> iptables -v -A FORWARD -i eth0 -o tun0 -j ACCEPT
> 
> How could look the same additional rules (what has to be set up) in case I decide to move it to the router with Arno's script? For the case of router - i have to build a mutual trust between tun and internal IF (eth1, for example), haven't I?
> 
> Janis
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 



More information about the Firewall mailing list