OpenVPN – A Custom Iptables journey

During this lockdown period, people are usually working from home which means they all are contributing to work by staying at home. So, if someone wants to work on something online, such as on a particular private or public server of a company, depending on the scenario, will need a network route to that server.

makes sense?

Meaning, they first need access to that particular server either via a public network or using VPN. These things have their own set of complexities. Therefore, we will discuss a few aspects of network access & their drawbacks:

1. In some cases companies allow users to access servers via the internet without any specific condition which means servers have public IP & are publicly available. But what if websites don’t need to open globally or do not need public access?

Solution: In that case, we can disable public access & use firewall rules or security groups to manage users’ public IP’s. If someone wants to access a server, they’ll have to contact the server administrator and provide them their public IP address. Then the server administrator can whitelist that IP address providing access to the user.

2. By disabling public access and using firewall rules, managing users’ public IP can be really hectic because users usually don’t stick to a specific network. This means their public IP will change whenever they switch networks. There is no static IP for a normal broadband connection. So, IP will always rotate as users will have to contact server administrators each time they change network.

Solution: In this case, we can use a VPN server to gain access to a company network. Server administrators would need to manage a VPN server and client configuration for each user.

So, OpenVPN is a good option for setting up a VPN server because it’s open-source. Users can easily get installation instructions for Linux/Unix. OpenVPN uses the Iptables firewall for its routing rules. Community forums like stack-overflow, OpenVPN official help site, etc are present for support.

3. With minimal configuration and basic restriction policies in the OpenVPN server, users can easily access company servers without issues of IP address management but there is another issue with this configuration. If server administrator sets up an OpenVPN server for the management team or any team which only has access to private or public websites of the company which means a user using VPN would need only internet or only port 80 & 443 access but with normal configuration, user can easily use other ports via VPN like user can use SSH, connect to the database or can connect to any other application via any port. To overcome this, OpenVPN comes with the idea of restricting rules policy using iptables.

Iptables is a firewall tool for Linux machines and it comes with very extensive features. Iptables works along with OpenVPN and anyone can modify it.

With OpenVPN setup, generally, users use iptables rules to masquerade OpenVPN private subnet to the main Ethernet. So, users can use network features using the OpenVPN server which means there are no specific rules applied for OpenVPN.

For checking iptables rules using iptables command [Both NAT table & Filter table ]

# iptables -L

In the above iptables output, it shows that there are no rules specified for any port, interface, subnet, or IP address. It just shows the empty output that we configured with OpenVPN.

# iptables -t nat -L

In the above iptables output, it shows POSTROUTING rules to masquerade OpenVPN subnet to main Ethernet which is eth0. It means any traffic that comes from mentioned and specified subnet [ OpenVPN subnet] is allowed to go through eth0.

So, basically from the above iptables command, we get to know that there are no specified rules allowed in the filter table & there is one rule for NAT table which masquerades the traffic to the main ethernet.

Let’s connect with any rules and see if we are able to connect to different resources using the OpenVPN client.

After that, it will assign you an IP address from the OpenVPN subnet.

Now, connect to different resources.

You can check internet connection by web browse

We can test by SSH to any resource,

Putty access

Once you fill-out the information, try to connect to the server.

To make things right with iptables and to know more about iptable rules with OpenVPN, we will allow users to use only SSH through OpenVPN but not let users access the internet or any other resource.

For that, we need to create iptables rules.

  1. First, we will drop or disable any access through OpenVPN for the OpenVPN subnet using a filter table FORWARD.
  2. We will append rules to allow SSH access using a filter table FORWARD.

NOTE: In iptables, rules are read from top to bottom. Hence, if there is a rule specified in iptables to deny resources and there is a same rule to allow resources on top of it, iptables will allow that rule whether you drop or deny in below that.

There are three options in iptables for filter table which is:

  1. Insert
  2. Append
  3. Delete

For this scenario, we will only use insert & append tags to write our rules. Delete option is also important but we are not going to use the delete tag in iptables for this case.

1. Append in iptables will put a rule at the end of the table which means if we want to drop everything except few resources, we will have to use the Append tag to create a rule at the end of the filter table to drop everything.

2. Insert in iptables will put a rule at the beginning of the table which means if after dropping everything using the “-A” tag in iptables, we can use insert a tag to allow specific resources.

Let’s break down this diagram,

In the above, diagram, we are trying to add four rules with the different tags as shown in the diagram [-A & -I ].

First, we are using an append tag which means it will be set at the end of the table whether there is already a rule present or not. After that, we use an insert tag which means it will be set at the beginning of the table whether any rule is present or not. So, this is the basic concept of append & insert tag. Check the below diagram for more details.

So, according to this, we run two rules to specify or need.

  1. Block all connection
# iptables -A FORWARD -s X.X.X.X/8 -i tun0 -j DROP
  1. Allow specific rule
# iptables -I FORWARD -p tcp -s X.X.X.X/X --destination-port 22 -i tun0 -j ACCEPT

You can see that rule with an insert tag at the beginning of the table and a rule with append at the end of the table.

NOTE: After setting up rules, you can check whether the rules are working fine or not. If it is working fine, you can use the net-filter command to save the specific rules.

Now, we will check whether the rules are working fine or not.

For now, we are unable to access the internet because we dropped all connections for the OpenVPN subnet,

But we can easily connect to SSH.

We can check other resources like Database connections or other port connections to make sure that everything is working properly.

We checked only with database connection but you can test this option with any kind of protocol other than the allowed one. We used the telnet command to check the connection, you can use any other tool to make sure that everything is working fine.

Conclusion

We discussed a few of the rules provided by Iptables, their workflow and use-cases. Iptables is a very powerful firewall tool that is very flexible and useful in many aspects. Not only external traffic, but it can also help control, route and redirect using a set of rules. For OpenVPN and other tools, iptables gives you options to make things work as you want.

Let us know in the comment section about your experience where you used iptables and how iptables it helped you in managing resources.

Let’s keep away negative things from life just like we block or drop things using iptables :).

Keep exploring!

GIF References

Blog Pundit: Naveen Verma &  Adeel Ahmad

Opstree is an End to End DevOps solution provider

Connect Us

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s