UFW for OpenVPN
Solution 1
The config can be more restrictive
ufw --force reset
ufw default deny incoming # Use the VPN tunnel for all traffic
ufw default deny outgoing
ufw allow out on tun0
ufw allow in on tun0
ufw allow out $port/$protocol # e.g. 1234/udp, depending on your OpenVPN client config
# Prefer resolved hosts to connect to your VPN, enable only if your VPN provider doesn't give you that option
#ufw allow out 53
# Allow local IPv4 connections, enable as needed, set specific IPs or tighter subnet masks if possible
#ufw allow out to 10.0.0.0/8
#ufw allow out to 172.16.0.0/12
#ufw allow out to 192.168.0.0/16
# Allow IPv4 local multicasts
#ufw allow out to 224.0.0.0/24
#ufw allow out to 239.0.0.0/8
# Allow local IPv6 connections
#ufw allow out to fe80::/64
# Allow IPv6 link-local multicasts
#ufw allow out to ff01::/16
# Allow IPv6 site-local multicasts
#ufw allow out to ff02::/16
#ufw allow out to ff05::/16
# Enable the firewall
ufw enable
Solution 2
Strong recommendation is that you do NOT use these two commands:
ufw allow incoming
ufw default allow in on tun0
Allowing in defeats the purpose of having a firewall. It is incorrect that you need "allow in on tun0" to receive return packets. You only want to receive connections you asked for, versus allowing the whole world to connect to you. Allowing out will do this. Test out the proposed configuration below and see.
Here is an example for a series of UFW commands for use with a firewall:
sudo ufw enable
sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0
sudo ufw allow out on eth0 to any port 53,1197 proto udp
sudo ufw allow out on wlan0 to any port 53,1197 proto udp
sudo ufw status verbose
Example Result:
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
Anywhere ALLOW OUT Anywhere on tun0
53,1197/udp ALLOW OUT Anywhere on eth0
53,1197/udp ALLOW OUT Anywhere on wlan0
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
53,1197/udp (v6) ALLOW OUT Anywhere (v6) on eth0
53,1197/udp (v6) ALLOW OUT Anywhere (v6) on wlan0
NOTE: -Your interfaces may be different, for example ubuntu 16.12 uses eno1 and wlp3s0b1. Use command "ifconfig" to see your actual interfaces. -1197 UDP is fairly default, but you may need to change it for your VPN (e.g. 443 TCP). -I usually delete ipv6 (sudo ufw delete 4, repeat x3)
What this does: -It allows outbound connections through the VPN tunnel, while blocking everything but the VPN tunnel and DNS connections on ethernet/wifi. Warning below on the DNS issue.
Warning: This example allow out on 53 for DNS requests so that openvpn (e.g. vpn.somevpnprovider.com) can request the IP address and make a connection. The trade off is the potential for DNS leakage. Use dnsleaktest.com to ensure your VPN settings tunnel your DNS requests. For the cautious/paranoid, skip allowing out on 53 and instead toggle your firewall off to connect, then back on once connected. For my VPN reasons, I choose not to do that since it's more likely I'll forget the firewall entirely (e.g. DNS will leak anyway if openvpn is misconfigured).
Related videos on Youtube
Alex M.
Updated on September 18, 2022Comments
-
Alex M. over 1 year
I want to configure ufw (uncomplicated firewall) for OpenVPN.
Connections are only allowed through OpenVPN. Everything else should be blocked. So if OpenVPN is disconnected -> no internet! I found this script online and I want to know if it's good enough. Or do I have to add more rules ?
#!/bin/bash ########################################### # Created by Thomas Butz # # E-Mail: btom1990(at)googlemail.com # # Feel free to copy & share this script # ########################################### # Adapt this value to your config! VPN_DST_PORT=3478 # Don't change anything beyond this point ########################################### # Check for root priviliges if [[ $EUID -ne 0 ]]; then printf "Please run as root:\nsudo %s\n" "${0}" exit 1 fi # Reset the ufw config ufw --force reset # let all incoming traffic pass ufw default allow incoming # and block outgoing by default ufw default deny outgoing # Every communiction via VPN is considered to be safe ufw allow out on tun0 # Don't block the creation of the VPN tunnel ufw allow out $VPN_DST_PORT # Don't block DNS queries ufw allow out 53 # Allow local IPv4 connections ufw allow out to 10.0.0.0/8 ufw allow out to 172.16.0.0/12 ufw allow out to 192.168.0.0/16 # Allow IPv4 local multicasts ufw allow out to 224.0.0.0/24 ufw allow out to 239.0.0.0/8 # Allow local IPv6 connections ufw allow out to fe80::/64 # Allow IPv6 link-local multicasts ufw allow out to ff01::/16 # Allow IPv6 site-local multicasts ufw allow out to ff02::/16 ufw allow out to ff05::/16 # Enable the firewall ufw enable
Source : http://pastebin.com/AUHh6KnV
-
ntninja over 9 yearsLooks fine! Just try and see if it works, it there are any issues you can always disable
ufw
usingsudo ufw disable
and remove all firewall rules usingsudo ufw --force reset
. What could possibly go wrong? ;-) -
JVE999 over 9 yearsI might avoid allowing all incoming traffic, as that alone will allow openvpn to work.
-
n00dl3 about 9 yearsyou should always deny incoming connections by default...
-
emk2203 about 8 yearsThis script is clearly made for filesharing purposes. Denying incoming connections defeats the purpose. It gives you the "killswitch" behaviour of commercial VPN applications - not more, not less.
-
berbt almost 8 years@emk2203 no, it denies incoming traffic outside the tunnel.
-
berbt almost 8 years
gives you the "killswitch" behaviour of commercial VPN applications
neither that. ufw works, "killswitches" are a Russian roulette.
-
-
Matt Borja over 7 yearsStill trying to understand firewall lingo, but would you hypothetically not want to allow in on
tun0
as a means of blocking inbound connections from the VPN? As in,ufw deny in on tun0
? -
Matt Borja over 7 yearsYou're right, I somehow didn't see that. Disregard :)
-
Matt Borja over 7 yearsActually, it looks like what I was "questioning" was the
ufw allow in on tun0
line. -
Philipp Ludwig over 2 yearsThe given firewall rules are not enough to make a VPN server work, something is missing.
-
Philipp Ludwig over 2 yearsThese rules are not enough, no data is going through the tunnel.