[newbie] change firewall for OpenVPN?
Debian OpenVPN instructionsGetting StartedSecuring Your Server
me@linode:~$ date ; sudo iptables -L
> Wed Oct 15 21:24:25 EDT 2014
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
> ACCEPT all -- anywhere anywhere
> REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp dpt:http
> ACCEPT tcp -- anywhere anywhere tcp dpt:https
> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> ACCEPT icmp -- anywhere anywhere
> LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
> DROP all -- anywhere anywhere
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> DROP all -- anywhere anywhere
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> Chain fail2ban-ssh (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
Unfortunately my knowledge of linux networking generally, and iptables
particularly, is not great. So I'd like to know: will I need to change my iptables
rules in order to accommodate OpenVPN? Note my usecase is pretty simple: I'm just configuring the linode to be a jumpbox through which to route traffic to another network.
1 Reply
From the OpenVPN documentation[1], openVPN runs on the following ports:
> Short answer: TCP 443, TCP 943, UDP 1194
Long answer: By default OpenVPN Access Server has 2 OpenVPN daemons running. One of them on UDP port 1194 and another on TCP 443. We recommend that you use the UDP port because this functions better for an OpenVPN tunnel. However, many public locations block all sorts of ports except very common ones like http, https, ftp, pop3, and so on. Therefore we also have TCP 443 as an option. TCP port 443 is the default port for https:// (SSL) traffic and so this is usually allowed through at the user's location.
TCP port 943 is the port where the web server interface is listening by default. You can either approach this directly using a URL like
https://yourserverhostnamehere:943/ or by approaching it through the standard https:// port TCP 443, since the OpenVPN daemon will automatically internally route browser traffic to TCP 943 by default. (https://yourserverhostnamehere/ ).
So, depending on which ports you would like to use, you will need ensure that they are opened up in IP tables.
[1]
Best,
Lev