OpenVPN clients do not access Linode OpenVPN server iptables?

I have OpenVPN-2.4 running on my Ubuntu 16.04 server, and also running on my clients: dd-wrt router, Windows x64 Pro, and Android 7.1.1.

In my Ubuntu /etc/openvpn/server.conf I have

push "dhcp-option DNS 10.8.0.1"

I want my clients to use the server's iptable rules set up to block a list of IP addresses.

I have have tried several sets of iptable rules in my Ubuntu server /etc/init.d/openvpn file, not of which work. E.g., I try

blacklist IP:

iptables -A INPUT -s IP -j DROP

delete blacklisted IP

iptables -D INPUT -s IP -j DROP

to test an IP that I can use in one of my client browsers.

I have tried (uncommented iptables lines are used currently):

https://arashmilani.com/post?id=53

iptables -A INPUT -i tun+ -j ACCEPT

iptables -A FORWARD -i tun+ -j ACCEPT

iptables -A FORWARD -i tun+ -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables -A OUTPUT -o tun+ -j ACCEPT

from Linode doc

/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

/sbin/iptables -A FORWARD -j REJECT

/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

/sbin/iptables -A INPUT -i tun+ -j ACCEPT

/sbin/iptables -A FORWARD -i tun+ -j ACCEPT

Otherwise, my VPNs seem to be working fine.

10 Replies

As is with most things are are many ways to accomplish the same thing. I would suggest you manually try something simple such as:

iptables -I FORWARD -s {replace w/source vpn_client IP or network} -d {replace w/dest net/IP 2 block} -j REJECT

to see if it works for you, then build from there, and add to your configuration so it remains persistent.

I myself use netfilter's ipset to block a large array of networks.

Thanks. I'll try that.

Yes, I too recently have been using ipset to every few hours modify a malware database, and I can easily add in an ad-block database.

Lester

I guess

iptables -I FORWARD -s {replace w/source vpn_client IP or network} -d {replace w/dest net/IP 2 block} -j REJECT

was a guess. I don't see why REJECT should be used instead of ACCEPT?

Has anyone actually implemented iptables to achieve what I first described?

Can you tell us a bit more about your use case?

Are you trying to restrict client access to remote IPs through the VPN? Like, if your phone was trying to initiate a connection somewhere out in the internet would you want to block a specific address?

You'd use REJECT if you were blacklisting (with ACCEPT as the default policy for the FORWARD chain); if you were whitelisting, then you would use ACCEPT (with REJECT or DROP as the default policy in FORWARD).

Does that make sense?

I regularly update lists of IP addresses that are considered malware (to which I can also add on ads) in my iptables (using ipset, etc.) just fine.

I also have my Linode OpenVPN server working just fine, e.g., to which I can connect my 2 Thinkpads, 2 Androids, and a dd-wrt router.

I want to have my OpenVPN clients use my Linode iptables so that malware (and maybe ads) can also be blocked for my clients.

I thought this was clear in my top posting, but perhaps not.

That is why I think ACCEPT should be used instead of REJECT: I want my OVPN clients to pass through, e.g., perhaps something like

iptables -I FORWARD -s 10.8.0.0/24 -d 127.0.0.1 -j ACCEPT

which would make sense to me?

However, I would like to avoid any unintended consequences, e.g., getting disconnected from my router (meaning I'd have to reboot everything, etc.). So, I would like to see a setup that is actually working for someone using iptables and OVPN on Ubuntu.

@jdfriedrikson:

Can you tell us a bit more about your use case?

Are you trying to restrict client access to remote IPs through the VPN? Like, if your phone was trying to initiate a connection somewhere out in the internet would you want to block a specific address?

You'd use REJECT if you were blacklisting (with ACCEPT as the default policy for the FORWARD chain); if you were whitelisting, then you would use ACCEPT (with REJECT or DROP as the default policy in FORWARD).

Does that make sense?

In order to do this correctly, you have to realize how netfilter works with routing:

~~![](<URL url=)https://upload.wikimedia.org/wikipedia/ … ow.svg.png">https://upload.wikimedia.org/wikipedia/commons/thumb/3/37/Netfilter-packet-flow.svg/2000px-Netfilter-packet-flow.svg.png" />

This rule:

iptables -I FORWARD -s 10.8.0.0/24 -d 127.0.0.1 -j ACCEPT

is never going to get used because it won't leave any of your client devices (localhost).

Rules like this:

iptables -A INPUT -s IP -j DROP

won't work on your VPN server because the INPUT chain is for traffic that is bound toward a local process and not for traffic that is bound toward another host. Since you're going to have a terrible time whitelisting every host on the internet that you want to connect to, you'll probably want to do something like this:

iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun+ -d <blacklisted ip="">-j REJECT
iptables -A FORWARD -i tun+ -o eth0 -m state --state NEW -j ACCEPT</blacklisted> 

You can also hook in ipset into the above example with ease.~~

Also, you may want to consider blacklisting by domain as well:

https://wuffleton.com/code/unbound-blacklist/

https://sfxpt.wordpress.com/2011/02/21/ … th_DNSmasq">https://sfxpt.wordpress.com/2011/02/21/the-best-ad-blocking-method/#AdBlockingwith_DNSmasq

If you use your VPN server as a resolver, you can cut out a lot of unwanted traffic and requests when browsing.

The diagram is extremely helpful in understanding the processes involved.

Thanks.

Lester

Lester,

If you think that graph is helpful, then you'll love the LARTC.

JD

This seems like a very good alternative:

https://sfxpt.wordpress.com/2011/02/21/ … th_DNSmasq">https://sfxpt.wordpress.com/2011/02/21/the-best-ad-blocking-method/#AdBlockingwith_DNSmasq

This is working out just fine, using ad-blocking as well as malware-blocking. One advantage to using my own blocking, e.g., versus PIA/MACE or AdguardDNS, is that I can include my own whitelist blacklist.

Lester

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct