This post is part of my ongoing privacy series. Main post is here.
In the first step, we installed, configured, and test-ran openVPN. In this step, we are going to configure IP tables (this program allows a linux computer to act like a firewall) to make sure we have only open what we want to have open and then run openVPN as a service (aka daemon).
Text in the Courrier New font is what you should type in.
Text in the Comic Sans MS font is output.
Text in italics are notes.
- “iptables -P INPUT ACCEPT” — this line will configure ip tables to accept all connections. Since we are connected over ssh, we don’t want to lock ourselves out of the server.
- “iptables -F” flush everything to start fresh.
- “iptables -A INPUT -i lo -j ACCEPT” we want to accept everything directed to the loopback localhome address
- “iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT” anything that is already established, we are going to allow
- “iptables -A INPUT -p tcp –dport 22 -j ACCEPT” we are going to explicitly allow ssh to come in
- “iptables -P INPUT DROP” if it hasn’t been allowed, we are just going to drop the packets. No response no nothing.
- “iptables -P OUTPUT ACCEPT” anything going out is ok
- “iptables -A INPUT -p udp –dport 1194 -j ACCEPT” we are going to allow udp port 1194 in. This is the port and protocol used by openVPN. If you changed the port or protocol that openVPN runs on, make this agree with that.
- “iptables -A FORWARD -s 192.168.27.0/255.255.255.0 -j ACCEPT” we are going to accept anything from the 192.168.27.x subnet for forwarding. This needs to agree with the ip address you used in the server section of the config file.
- “iptables -A FORWARD -d 192.168.27.0/255.255.255.0 -m state –state RELATED,ESTABLISHED -j ACCEPT” anything that is established headed to our vpn subnet, we are going to accept for forwarding
- “iptables -A FORWARD -s 192.168.27.0/255.255.255.0 -m state –state RELATED,ESTABLISHED -j ACCEPT” anything headed from our vpn subnet that is already established, we are going to accept and forward
- “iptables -t nat -A POSTROUTING -s 192.168.27.0/24 -j SNAT –to-source AAA.BBB.CCC.DDD” make sure AAA.BBB.CCC.DDD agrees with the IP address of your server. I beat my head against the wall for an hour or so trying to sort out why I could talk to my sever but nothing else. The instructions I found talking about using MASQUERADE only threw errors.
- “/sbin/service iptables save” let’s save our iptables configuration
- “nano /etc/sysctl.conf” we need to edit “net.ipv4.ip_forward = 1” (it should = 0 set it to equal 1). This sets up networking on the server to forward.
- “sysctl -p” this will restart networking to see the config file change
- “iptables -L -v” this will show you something like
Chain INPUT (policy DROP 2552 packets, 163K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — lo any anywhere anywhere
93343 24M ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED
3218 198K ACCEPT tcp — any any anywhere anywhere tcp dpt:ssh
20 840 ACCEPT udp — any any anywhere anywhere udp dpt:openvpnChain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36358 13M ACCEPT all — any any 192.168.27.0/24 anywhere
41184 41M ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHEDChain OUTPUT (policy ACCEPT 104K packets, 56M bytes)
pkts bytes target prot opt in out source destination - “/etc/init.d/openvpn start” this starts the openVPN daemon. It scans /etc/openvpn/ for any .conf files. It starts them all
References:
http://wiki.centos.org/HowTos/Network/IPTables — this is a really good page on iptables
http://kyl191.net/2012/09/getting-openvpn-to-work-on-an-openvz-vps/ — I beat my head against the wall trying to get NATting to work. This page helped me sort it out.