# OpenVPN & iptables what rules to set

## dinominant

Hi. I'm trying to setup an OpenVPN connection between my laptop and webserver. I've followed the OpenVPN primer and I can ping the webservers ip through the VPN if iptables is disabled, but being a webserver I need iptables enabled. With iptables enabled I get this error: openvpn[6022]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111).

webserver openvpn config:

```
dev tun

ifconfig 10.32.0.1 10.32.0.2

secret /etc/openvpn/link.key

comp-lzo

port 443

user nobody

group nobody
```

laptop openvpn config:

```
remote domain.name

dev tun

ifconfig 10.32.0.2 10.32.0.1

secret /etc/openvpn/link.key

comp-lzo

user nobody

group nobody
```

iptables rules

```
# Generated by iptables-save v1.3.8 on Tue Mar 25 13:28:29 2008

*nat

:PREROUTING ACCEPT [104582:6023732]

:POSTROUTING ACCEPT [1020:59881]

:OUTPUT ACCEPT [92:5709]

# enable NAT

-A POSTROUTING -j MASQUERADE

# forward traffic to alpha

-A PREROUTING -d <snip> -j DNAT --to-destination 172.16.0.3

COMMIT

# Completed on Tue Mar 25 13:28:29 2008

# Generated by iptables-save v1.3.8 on Tue Mar 25 13:28:29 2008

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [56:9004]

:OUTPUT ACCEPT [840:202461]

# accept all from localhost

-A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ping

-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# vmware

-A INPUT -p tcp -m state --state NEW -m tcp --dport 902 -j ACCEPT

# vpn

-A INPUT -p tcp --dport 443 -j ACCEPT

-A INPUT -p udp --dport 443 -j ACCEPT

# reject everything else

-A INPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT

# Completed on Tue Mar 25 13:28:29 2008
```

----------

## DrWilken

Hi...  :Wink: 

You need these two ports open (eth0 is my outside NIC - replace with your tun adapter):

```

# ESP (Encapsulating Security Protocol)

iptables -A INPUT -p esp -i eth0 -j ACCEPT

# ISAKMP (Internet Security Association and Key Management Protocol)

iptables -A INPUT -p udp -i eth0 --dport 500 -j ACCEPT

```

And enable packets from your remote network:

```

# VPN connection

iptables -A INPUT -i eth0 -s <your-remote-network> -j ACCEPT

iptables -A FORWARD -i eth0 -s <your-remote-network> -d <your-inside-network> -j ACCEPT

```

You also have to disable NAT'ing on packages that go throug the tunnel (I do NAT'ing for all going out except for one network):

```

# Source Adresse Masquerading

iptables -t nat -A POSTROUTING -o eth0 -s <your-inside-network> -d \! <your-remote-network> -j MASQUERADE

```

<your-remote-network> and <your-inside-network> has to be written like this 192.168.1.0/24 or 10.10.0.0/16 etc.

You can run the iptables lines above one by one (after editing them) and then run iptables-save...

 :Wink: 

----------

## bbgermany

 *DrWilken wrote:*   

> Hi... 
> 
> You need these two ports open (eth0 is my outside NIC - replace with your tun adapter):
> 
> ```
> ...

 

OpenVPN is not IPSec. You dont need ESP and ISAKMP open for this. OpenVPN is a SSL-bases VPN. You need to open the port where the daemon listens and allow the net within openvpn.

bb

----------

## DrWilken

 *bbgermany wrote:*   

>  *DrWilken wrote:*   Hi... 
> 
> You need these two ports open (eth0 is my outside NIC - replace with your tun adapter):
> 
> ```
> ...

 

Whooops... Sorry...  :Wink: 

I've just up a tunnel using OpenSWAN and thought they used the same protocols...   :Embarassed: 

----------

