Road Warrior OpenVPN Part 4
Over the course of this series so far we’ve been looking at configuring the OpenVPN server on your VPS in order to allow you to secure your internet connection when working with wifi hotspots in locations such as restaurants, cafes, and hotels. So far we have configured the OpenVPN server and created the configuration to allow OpenVPN client devices to connect to the server. Now the only thing that remains is to configure the server’s firewall in order to allow the packets for the OpenVPN to be allowed in and ensure that connections are properly forwarded on for when a VPN client tries to reach the internet.
How to Configure Your Server’s Firewall
For this we’ll be configuring the iptables firewall on the servers. The first thing we need to do is allow the incoming connections for OpenVPN – this can be done with the following command:
iptables -A INPUT -i eth0 -m state –state NEW -p udp –dport 1194 -j ACCEPT
Note here that we’ve referenced the interface eth0. If your system is using a different name for its public interface, as has become common with modern Linux builds, you’ll need to replace eth0 with that interface name.
Next, we want to accept incoming traffic over the OpenVPN tunnel interface:
iptables -A INPUT -i tun+ -j ACCEPT
We then need to accept the forwarding of packets between the tunnel interface and the primary network port:
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state –state RELATED,ESTABLISHED -j ACCEPT
Again we’ve used eth0 for the public network interface on these lines, and you’ll need to replace that with your public interface name.
Next we need to tell iptables that we need to use Network Address Translation (NAT) with our incoming tunnel connections:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
So, all connections from 10.8.0.0/24 (the IP range assigned for the VPN) will use Network Address Translation to appear to be coming from the server’s public network interface. If, for whatever reason, you change the IP range that OpenVPN uses, you’ll need to change the IP range as shown here to match.
With that done, you should be good to go. However, on the off chance that you have your OUTPUT table not set to a default of ACCEPT you’ll need to add the following line to allow traffic out:
iptables -A OUTPUT -o tun+ -j ACCEPT
Your VPN should now be accessible and able to forward traffic on to the internet for your connected clients. Your traffic should be encrypted between your client device and the server, and should appear to the internet that your traffic all originates from your VPS. Now you can think about using WiFi hotspots with the added security that your traffic is encrypted between your devices and a known safe server.
With the changes made it makes sense to save the iptables rules now, which can be done using the iptables-save command:
sudo iptables-save > /etc/iptables/rules
In this case, we are saving to the default location for iptables rules if you are using the iptables-persistent package to reload your firewall rules after a reboot. If you are using an alternative method to reload your iptables rules after a reboot you’ll want to save your configuration to the relevant file for that.
If you have any problems then OpenVPN should log to your default syslog file where you would be able to see any errors or warnings that come up during operation.
With the VPN up and running, we’ve looked at how you can use a VPS to secure your internet connection. Next time, we’ll be looking at how you can host your own files, contacts and calendar on your VPS using NextCloud.