Re: [Openvpn-users] iptables rules required for OpenVPN and Tor

Mon, 22 Jan 2024 03:31:53 -0800 

On 22.01.24 12:01, Peter Davis wrote:

On Monday, January 22nd, 2024 at 10:41 AM, Jochen Bern <jochen.b...@binect.de> 
wrote:

On 20.01.24 07:24, Peter Davis wrote:

When someone connects to this server with OpenVPN and uses the Internet, then 
all his\her Internet connections are tunneled through Tor.
I want to know which group of iptables rules are sufficient!


Neither.

If you want ALL his connections to the Internet to get redirected to
Tor, then you'll need to either a) remember IP and port he's actually
trying to connect to, or b) get the client to "talk proxy" (different
protocol) if it didn't yet. Blindly applying "-j DNAT --to 10.8.0.1:..."
everywhere erases that information from the actual connection attempt,
and does nothing to inform the client of changed requirements.


Hi,
Thanks again.
But it works, and when the user connects to the OpenVPN server, all his\her 
internet connections are tunneled through Tor. I just want to know which 
iptables rules are extra!

What iptables rules do you use for such a scenario?



Well, if it *works* right now, then the first thing you should do is to 
have a look at which rules do or don't get *triggered* by your tests. 
(I.e., use the "-v" option to iptables, but if you haven't done so since 
the last change of the setup, you might want to use "-Z" to reset the 
counters to zero and rerun the tests to get proper counts.)


My *guess* would be that your


# iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT
# iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j 
MASQUERADE


should be replaced by something like

# iptables -A INPUT -s $YOUR_OVPN_SUBNET -p tcp --dport 9040 -j ACCEPT
# iptables -A INPUT -s $YOUR_OVPN_SUBNET -p udp
        -m multiport --dports 9040,53530 -j ACCEPT

and I'd probably add

# iptables -I FORWARD -i $IF_TUNNEL -o $IF_MAIN -j REJECT


to be sure to suppress non-UDP non-TCP traffic going out unTored, but 
it's sure that you need *parts* of *both* blocks (as the second fails to 
make the VPN itself accessible to clients).


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to