First of all, really congratulations for your distribution!
I’m experiencing a trouble with the Openvpn udp firewall rule.
I have setup the openvpn server and works correctly, but I need to allow connections only from my static ip address. As done with other services, I have setup that the port 1194 will accept connections only from my static ip, but if for others rules works, with the openvpn not. I have tried to write the ip manually or selecting it from the saved host… but nothing.
OpwnVpn now is activated on the red, i need to active on the green and after create the rule?
Where I’m wrong?
Hi Josef and welcome here.
if you want to make more then one FW rule in general the static IPs are exactly what you need. All depends now on your ‘Default firewall behaviour’ which you can find under the “Firewall Options” tab --> https://wiki.ipfire.org/configuration/firewall/default-policy .
Two cases are important here:
If your ‘Default Firewall behaviour’ for the FORWARD chain is set to “Allowed”, you would need a rule which drops or rejects all other not wanted connections. This rule should to be at the end of your OpenVPN ruleset.
If you have configured a “Blocked” FORWARD chain (all is forbidden what is not explicit allowed) you need to allow every wanted connection.
Hi Erik, really thank you for the help.
Forward and outgoing are allowed in the general setup
This is my configuration.
What I don’t understand is why normals NAT rules works correctly answering only from connections made from my OFFICE IP… and the same logic doesn’t work for openvpn.
You are welcome.
to clear the OpenVPN FW basics a little, If you enable OpenVPN via the checkbox “OpenVPN on RED:” you open the FW up for OpenVPN connection attempts. So generally spoken, you won´t need a FW rule if you have an open FORWARD policy set in the WUI or in other words, a FW rule for UDP 1194 is not needed since the web user interface will do this for you automatically.
If you want now specific rules for specific clients, you will need at first to separate them via “Static IP address pools” <<–>> every transport net get´s his own FW rules (what you already did).
Now is it important to define the source and the destination of the rule. The source starts the connection attempt, in our case the OpenVPN client. If you have setup an OpenVPN client in your “OFFICE” you will be connected via the configured OpenVPN transport net (you can also call it OFFICE in the “Static IP address pools”) therefore the OpenVPN is the source not the destination and you do not need 1194 UDP but the services/ports you want to access in your LAN (“Any” for all services)!!! A simple picture: If you are connected via OpenVPN, you are virtually in your LAN (usage of non-routable IPs like 192.168.* ).
Hope this clears it a little…
Some other points i wanted to quest:
- Do not open 444 TCP on RED. If you have OpenVPN running you should be perfectly fine by reaching the web user interface via OpenVPN and the appropriate LAN IP.
- I won´t drop ICMP on RED . Beneath some other important network functions, OpenVPN uses keepalive which also uses ICMP.
Some more ideas from here.