How do I prevent Access Server from modifying iptables rules on my Linux host?
OpenVPN Access Server uses iptables (and ip6tables for an IPv6-configured server) on the host as part of its sophisticated NAT-ing and routing VPN-related traffic. Access Server adds rules to the "filter," "nat," and "mangle" tables of iptables (and ip6tables if applicable). Some changes are made when openvpnas starts up; others occur with Access Server configuration changes. Additional changes relate to per-user IP addresses and routes in Access Server.
Access Server includes the ability to disable particular types of iptables and ip6tables modifications if the corresponding Access Server functionality is not used (and iptables or ip6tables rule modification is undesirable).
These config keys identify three related iptables settings:
- iptables.vpn.disable.filter
- iptables.vpn.disable.nat
- iptables.vpn.disable.mangle
These config keys identify three related ip6tables settings:
- ip6tables.vpn.disable.filter
- ip6tables.vpn.disable.nat
- ip6tables.vpn.disable.mangle
You can use a command to modify the boolean value for each setting by following these commands with root privileges:
cd /usr/local/openvpn_as/scripts/ ./sacli --key="key_name" --value="boolean_value" ConfigPut ./sacli start
Use the following for key_name and boolean_value:
- Key name: Enter one of the three config keys listed above (e.g., iptables.vpn.disable.nat).
- Boolean value: Set to either "True" or "False".
Example 1: Suppose you want to disable the Access Server's modification of the iptables NAT table. In that case, you would use the following command:
./sacli --key="iptables.vpn.disable.nat" --value="True" ConfigPut ./sacli start
Example 2: Suppose you want to disable the Access Server's modification of the ip6tables mangle table. In that case, you would use the following command:
./sacli --key="ip6tables.vpn.disable.mangle" --value="True" ConfigPut ./sacli start
You can use the command ./sacli ConfigQuery to view the config and see the current values for each key. The above six config keys are False by default (and treated as False if not defined).
Warning: You should only disable the iptables and ip6tables modifications if you understand the iptables/ip6tables rules added by Access Server (by examining the output of iptables/ip6tables and/or iptables-save/ip6tables-save) and you add your own rules that are equivalent to those automatically added by Access Server. Otherwise, disabling these modifications may render Access Server inoperable.
For a related resource, refer to “Settings related to iptables” on Advanced Option Settings on the Command Line.