With an openvpn tunnel that uses a tun device, what iptables rules allow the encapsulated traffic through and what rules control the packets after encapsulation? Basically, I am wondering how the order of operations works with iptables and openvpn as well as how this relates to the chains.
Plaintext traffic will go in and out of the tunX devices; you may find the
-i tun+
and-o tun+
options to iptables, which match any tun interface, useful in handling that.Encrypted traffic will be UDP/TCP on port 1194, or otherwise, as you have specified, on your ethernet interface. When filtering traffic into the server, don't forget to allow the OpenVPN encrypted packets.
And as for chains, encrypted traffic coming in is considered to terminate on the openvpn server, so that's the INPUT chain; encrypted traffic leaving is considered to have originated on the server, so that's the OUTPUT chain. Traffic passing between your internal network and the
tunX
interfaces is the responsibility of the FORWARD chain.For traffic coming through the tunnel, you just need to set up FORWARD rules to allow the traffic from the tun interface to the eth interface. Such as the following rule allows access from tun0 to RDP for the specific range.
-A FORWARD -i tun0 -p tcp --dport 3389 -d 192.168.0.0/24 -j ACCEPT
After the forward rules, if you have an established/related rule on the eth interface, it will allow the traffic back through.