OpenVPN clients do not access Linode OpenVPN server iptables?
In my Ubuntu /etc/openvpn/server.conf I have
push "dhcp-option DNS 10.8.0.1"
I want my clients to use the server's iptable rules set up to block a list of IP addresses.
I have have tried several sets of iptable rules in my Ubuntu server /etc/init.d/openvpn file, not of which work. E.g., I try
blacklist IP:
iptables -A INPUT -s IP -j DROP
delete blacklisted IP
iptables -D INPUT -s IP -j DROP
to test an IP that I can use in one of my client browsers.
I have tried (uncommented iptables lines are used currently):
https://arashmilani.com/post?id=53
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT
from Linode doc
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -i tun+ -j ACCEPT
/sbin/iptables -A FORWARD -i tun+ -j ACCEPT
Otherwise, my VPNs seem to be working fine.
10 Replies
iptables -I FORWARD -s {replace w/source vpn_client IP or network} -d {replace w/dest net/IP 2 block} -j REJECT
to see if it works for you, then build from there, and add to your configuration so it remains persistent.
I myself use netfilter's ipset to block a large array of networks.
–
Yes, I too recently have been using ipset to every few hours modify a malware database, and I can easily add in an ad-block database.
Lester
iptables -I FORWARD -s {replace w/source vpn_client IP or network} -d {replace w/dest net/IP 2 block} -j REJECT
was a guess. I don't see why REJECT should be used instead of ACCEPT?
Has anyone actually implemented iptables to achieve what I first described?
Are you trying to restrict client access to remote IPs through the VPN? Like, if your phone was trying to initiate a connection somewhere out in the internet would you want to block a specific address?
You'd use REJECT if you were blacklisting (with ACCEPT as the default policy for the FORWARD chain); if you were whitelisting, then you would use ACCEPT (with REJECT or DROP as the default policy in FORWARD).
Does that make sense?
I also have my Linode OpenVPN server working just fine, e.g., to which I can connect my 2 Thinkpads, 2 Androids, and a dd-wrt router.
I want to have my OpenVPN clients use my Linode iptables so that malware (and maybe ads) can also be blocked for my clients.
I thought this was clear in my top posting, but perhaps not.
That is why I think ACCEPT should be used instead of REJECT: I want my OVPN clients to pass through, e.g., perhaps something like
iptables -I FORWARD -s 10.8.0.0/24 -d 127.0.0.1 -j ACCEPT
which would make sense to me?
However, I would like to avoid any unintended consequences, e.g., getting disconnected from my router (meaning I'd have to reboot everything, etc.). So, I would like to see a setup that is actually working for someone using iptables and OVPN on Ubuntu.
@jdfriedrikson:
Can you tell us a bit more about your use case?
Are you trying to restrict client access to remote IPs through the VPN? Like, if your phone was trying to initiate a connection somewhere out in the internet would you want to block a specific address?
You'd use REJECT if you were blacklisting (with ACCEPT as the default policy for the FORWARD chain); if you were whitelisting, then you would use ACCEPT (with REJECT or DROP as the default policy in FORWARD).
Does that make sense?
~~![](<URL url=)
This rule:
iptables -I FORWARD -s 10.8.0.0/24 -d 127.0.0.1 -j ACCEPT
is never going to get used because it won't leave any of your client devices (localhost).
Rules like this:
iptables -A INPUT -s IP -j DROP
won't work on your VPN server because the INPUT chain is for traffic that is bound toward a local process and not for traffic that is bound toward another host. Since you're going to have a terrible time whitelisting every host on the internet that you want to connect to, you'll probably want to do something like this:
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun+ -d <blacklisted ip="">-j REJECT
iptables -A FORWARD -i tun+ -o eth0 -m state --state NEW -j ACCEPT</blacklisted>
You can also hook in ipset into the above example with ease.~~
If you use your VPN server as a resolver, you can cut out a lot of unwanted traffic and requests when browsing.
Thanks.
Lester
This is working out just fine, using ad-blocking as well as malware-blocking. One advantage to using my own blocking, e.g., versus PIA/MACE or AdguardDNS, is that I can include my own whitelist blacklist.
Lester