OK thanks for your explanation, so the script in the above post “Limit OpenVPN access to just 1 country” could help…
Yes, that post covers what you are looking for.
The script though is set up for only one country so you would need to create the same ACCEPT rule again for your second country. Any packets that don’t meet either country would then move on to the LOG and DROP actions.
These would need to be added to the start and stop sections of that file.
It doesn’t harm to do it but it adds more complexity and I am not sure how much it helps.
At least with OpenVPN, if you are using te TLS protection with a ta.key option then that key is used to encrypt the setup of the control connection, even before any data is transmitted. So any hacker would not only have to be able to break the data cipher but before they can even try that they would have to break the Transmission Channel setup encryption.
I occasionally see attempts at accessing my OpenVPN port but they are immediately stopped as they don’t have a ta.key so IPFire won’t even start to talk to them about setting up the OpenVPN Channel and I never see any attempts to break the data cipher as they would have had to break the ta.key first.
The default IPFire setup re-negotiates that ta.key every hour so that also puts a boundary on the time to break that encryption.
2 Likes
OK thanks again for the explanation…so I think I will leave it as is and maybe one day it will be (hopefully) implemented in ipfire without using a script.
And I didn’t know about the extra security with “TLS Channel Protection” for OpenVPN.
I enabled it but I need to recreate the OpenVPN clients since connection fails…
Don’t forget to hit apply in the firewall rules. Been caught out by that one before.
Other question is… are the VPN rules sitting before the geo-ip rules in the chain.
If they are it does not matter what you put into your firewall hits, they will hit the higher rule and exit.
BR
Joe.