Openvpn and Arno Iptables Firewall on debian wheezy

Arno’s iptables script is very detailed and easy to configure, the following might NOT be the optimal setup to allow a VPN, but it works for me.

First, verify that your openvpn setup works when firewall shields are down.

Create /etc/arno-iptables-firewall/conf.d/01openvpn.conf with the following content:

RP_FILTER=0
NAT=1
NAT_INTERNAL_NET="(put the openvpn network, e.g. 10.0.0.0/24)"
TRUSTED_IF="(the physical and the VPN interfaces, e.g. eth0 tap0)"

Then, editing the configuration files or through debconf (dpkg-reconfigure arno-iptables-firewall) set the following:
External network interface: the physical e.g. eth0
DHCP: you can set it to no unless you need it.
Open external TCP/UDP ports: add the ones used in your openvpn configuration (surely you will need to open at least one, be it TCP or UDP)
Pingable: you can set it to no unless you need it.
Internal network interfaces: your openvpn interfaces, e.g. tap0
Internal subnets: the openvpn network, e.g. 10.0.0.0/24
Enable NAT: yes
Internal networks with access to external networks: the openvpn network, e.g. 10.0.0.0/24
Restart the firewall and openvpn, good luck.

Note, with this setup you do not need the custom iptable rules found on openvpn installation instructions in wikis, as Arno’s script takes care of NAT and inbound traffic.

Leave a Reply

Your email address will not be published. Required fields are marked *