OpenVPN client and firewall rules

I installed IPFire as a OpenVPN client to another IPFire OpenVPN server and everything is working.

Now I want to create an inbound NAT rule for a HTTP server that should be available only from the GREEN network of the IPFire OpenVPN server.

Basically the traffic is coming from the tun0 interface, which the OpenVPN client created and the proper iptables command is:

iptables -A PREROUTING -t nat -i tun0 -p tcp --dport 80 -j DNAT --to 10.156.11.2:8000

iptables -A FORWARD -p tcp -d 10.156.11.2 --dport 80 -j ACCEPT

My question is: How can I add the equivalent of the iptables commands using the IPFire Firewall rules GUI interface?

I didn’t get it working, simply because the GUI doesn’t have the tun0 as an interface for selection.

Hi Michael,
if you did generate the client on the server it should appear in the WUI of the FW rules on the server, if you added some “Static IP address pools” it should appear as “OpenVPN clients:” if you use the “Dynamic OpenVPN IP address pool” it should appear as “OpenVPN networks:” <-- in that case all clients will have the same rule, if you don´t want it in that way use the first option.
In both cases the “Source” is then the client whereby you would only need to give him the destination in your green LAN.

Some FW hints: If you use a “Blocked” “Default firewall behaviour” you need to set one ACCEPT rule. If you have an “Allowed” “Default firewall behaviour” you would need one ACCEPT rule and after that an DROP or even REJECT rule for the OpenVPN network/clients to prevent other traffic.

Some ideas from here.

Best,

Erik

Maybe I was not clear in my explanation: I want to create the rule on the client and not on the server (e.g. the users on the server should connect to the service that resides behind on the client )

Why don´t you use a N2N connection then ?

Between the client and the server is a firewall that blocks nearly everything and also uses NAT and a dynamic IP address.

The blocked ports are not the problem, the solution is to use a well-known tcp port.

But N2N doesn’t work with NAT in between and/or the different IP addresses that the client has and the server sees.

However, OpenVPN as a road worrier has no problem with NAT and a dynamic IP address.

If you have on both sides IPFire, a quick explain how your firewall works should help. N2N can be NATed like RW´s within the same rule for the preceding router. Dynamic IPs (DDNS?) can also be used for both so am currently not sure where your problem is. A advantage might be to firewall both sides via WUI on a N2N connection in my opinion…

But may i understand you not right.

Best,

Erik

Unfortunately I am not in charge for the firewall in between the two IPFire.

In fact, the admin of that firewall does everything to block VPN.

So the only way is to run OpenVPN over port 443, because that port can’t be blocked.

As for N2N: From the log I could see that the server expects the client coming from the defined IP address.

Further the server needs to have an IP address of the client and tries to connect to that IP address.

In my view, this makes sense, because in N2N both parties are equal and try to connect to the other side.

In IPsec, on side can be set to “wait for connection” and then the other side can connect with any IP.

But I have not found such a setting in OpenVPN.

Hi,
N2N is also possible with OpenVPN on IPFire but not below port 1024 --> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=html/cgi-bin/ovpnmain.cgi;h=e76a688fe7dcda0b77bf716eb2538342cd775b00;hb=refs/heads/next#l3875 which is a problem if you need to have it on 443 TCP.

Why don´t you make a connection the way around via an RW connection if you need access only from one side ?

Best,

Erik