Not an answer to your question, but a suggestion.
Use tls-auth in your OpenVPN configuration.
https://openvpn.net/community-resources/hardening-openvpn-security/
Any packet not signed will just get dropped. Seems a lot easier to manage.
- Bob
On 3/18/2020 12:23 PM, Witold Tosta wrote:
Is it possible to filter incoming connections using the GeoIP module for
the OpenVPN gateway located on the Linux Shorewall router?
From what I noticed, the entry in the /etc/shorewall/tunnels file:
#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver: 1194 net 0.0.0.0/0
implies opening the udp/1194 port to the internet on which the OpenVPN
service is listening, regardless of whether the appropriate permitting
entry appears in /etc/shorewall/rules file. My point is to allow
connections to the OpenVPN gateway from a given country using the GeoIP
module, e.g.
# Accept OpenVPN gateway access only from PL
OpenVPN(ACCEPT) net:^[PL] $FW
From what I've read, Tom Eastep is planning to withdraw the use of the
tunnels file for the rules file, where the syntax shown above will
probably be accepted by the Shorewall Firewall.
Could you, Dear Tom, respond to this?
Best regards
Witold Tosta
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
