[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Understanding firewalls and bridging v. point to point


  • Subject: Re: [Openvpn-users] Understanding firewalls and bridging v. point to point
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Thu, 27 Jul 2006 11:58:25 -0500

siegfried wrote:
> I’m trying to understand the installation procedures at 
> http://www.nslu2-linux.org/wiki/HowTo/SetUpOpenVPNServer .

Note that this isn't official OpenVPN-project-maintained documentation. 
The official documentation is at http://openvpn.net/, but doesn't (that 
I know of) have any explicit coverage of Unslung.

> Can anyone speculate why it says to add these firewall rules (see below) 
> for a point-to-point client (peer)?

The rules are relevant only if you would otherwise have a local 
(host-based) firewall with rules or policies in place denying the 
traffic these rules are intended to permit.

>      "$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 1194 -j ACCEPT"

This ensures that the firewall isn't blocking the incoming UDP traffic.

> $IPT -A INPUT -i tun+ -j ACCEPT

This is trusting any traffic coming over a tunnel.

$IPT -A OUTPUT -o tun+ -j ACCEPT

This is allowing the server to send anything it likes over a tunnel.

>    1. $IPT -A FORWARD -i tun+ -j ACCEPT

This is allowing VPN clients to send traffic to any other network 
adapters the VPN server happens to be connected to.

> $IPT -A INPUT -i tap+ -j ACCEPT

This is allowing the server to receive any traffic sent over a tap-style 
adapter. It isn't relevant to bridging, but rather to a tap-based endpoint.

>    1. $IPT -A OUTPUT -o tap+ -j ACCEPT

This is allowing the server to send any traffic it likes over a 
tap-style adapter. It isn't relevant to bridging, but rather a tap-based 
endpoint.


...and so on.

If you don't have a firewall, though, this is all irrelevant -- and if 
you *do* have a firewall, you should understand it well enough to not be 
blindly following these instructions.

______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users