OpenVPN with UFW

Posted on: Tue, 01/13/2009 - 13:05 By: dae
Tags

I feel very shameful to admit that, for past several months, I left my server being wide open. She didn't receive any protection from any local firewall. Of course, the IT depts. of my university and my faculty have done great jobs in implementing the firewall. These protect me from outside threat but my server still sit idly feeling clueless of any person who has a chance to plug into university network. That's why I was trying to enable firewall on my server.

In my previous server, I used iptables exclusively, i.e., no front-end is being used. However, Ubuntu comes with ufw, a firewall-made-easy for Linux. With ufw, I could issue a command like "ufw allow 22" to let ssh (port 22) client to connect to my server. Ufw also saves and restore this rule automatically.

The only problem is that, as soon as I turned on ufw, my OpenVPN stop functioning. This is quite understandable because it override any previous rule I applied. However, the best things of ufw is that it is a non-degenerative front-end, meaning that it still retains all functionality of iptables. Users can add custom rules directly using the syntax of iptables. What the user has to do is to modify the /etc/ufw/before.rules and/or /etc/ufw/after.rules for any custom modification.

Here are the list of things I added to my /etc/ufw/before.rules, assuming that my OpenVPN clients are under the pool of 10.8.0.0/24

First, since we trust OpenVPN completely, I would accept all traffic to/from my OpenVPN. I added this lines at the beginning of the filter section .

-A ufw-before-input -i tun+ -j ACCEPT
-A ufw-before-output -i tun+ -j ACCEPT

Additionally, I must forward traffic to/from my OpenVPN. These lines was also added after the above lines.

-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT
-A ufw-before-forward -d 10.8.0.0/24 -j ACCEPT

Finally, I have to masquerade traffic from my OpenVPN. This can be done by adding a section of NAT table to the ufw. These lines were added to the top of the /etc/ufw/before.rules

# rules for NAT Table of iptables
# required line for ufw
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from OpenVPN through eth0.
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# tell ufw to process the lines
COMMIT

That's all.