[newbie] change firewall for OpenVPN?

I'm setting up a Debian 7 linode which will need to run OpenVPN. Before starting the Debian OpenVPN instructions I setup the linode using the Getting Started and Securing Your Server docs, so my linode's firewall configuration is

me@linode:~$ date ; sudo iptables -L
> Wed Oct 15 21:24:25 EDT 2014
> Chain INPUT (policy ACCEPT)
> target     prot opt source        destination
> fail2ban-ssh  tcp  --  anywhere   anywhere       multiport dports ssh
> ACCEPT     all  --  anywhere      anywhere
> REJECT     all  --  anywhere      loopback/8     reject-with icmp-port-unreachable
> ACCEPT     all  --  anywhere      anywhere       state RELATED,ESTABLISHED
> ACCEPT     tcp  --  anywhere      anywhere       tcp dpt:http
> ACCEPT     tcp  --  anywhere      anywhere       tcp dpt:https
> ACCEPT     tcp  --  anywhere      anywhere       state NEW tcp dpt:ssh
> ACCEPT     icmp --  anywhere      anywhere
> LOG        all  --  anywhere      anywhere       limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
> DROP       all  --  anywhere      anywhere

> Chain FORWARD (policy ACCEPT)
> target     prot opt source        destination
> DROP       all  --  anywhere      anywhere

> Chain OUTPUT (policy ACCEPT)
> target     prot opt source        destination
> ACCEPT     all  --  anywhere      anywhere

> Chain fail2ban-ssh (1 references)
> target     prot opt source        destination
> RETURN     all  --  anywhere      anywhere

Unfortunately my knowledge of linux networking generally, and iptables particularly, is not great. So I'd like to know: will I need to change my iptables rules in order to accommodate OpenVPN? Note my usecase is pretty simple: I'm just configuring the linode to be a jumpbox through which to route traffic to another network.

1 Reply

Hello!

From the OpenVPN documentation[1], openVPN runs on the following ports:

> Short answer: TCP 443, TCP 943, UDP 1194

Long answer: By default OpenVPN Access Server has 2 OpenVPN daemons running. One of them on UDP port 1194 and another on TCP 443. We recommend that you use the UDP port because this functions better for an OpenVPN tunnel. However, many public locations block all sorts of ports except very common ones like http, https, ftp, pop3, and so on. Therefore we also have TCP 443 as an option. TCP port 443 is the default port for https:// (SSL) traffic and so this is usually allowed through at the user's location.

TCP port 943 is the port where the web server interface is listening by default. You can either approach this directly using a URL like https://yourserverhostnamehere:943/ or by approaching it through the standard https:// port TCP 443, since the OpenVPN daemon will automatically internally route browser traffic to TCP 943 by default. (https://yourserverhostnamehere/).

So, depending on which ports you would like to use, you will need ensure that they are opened up in IP tables.

[1] https://docs.openvpn.net/frequently-asked-questions/

Best,

Lev

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct