Jump to content

ufw martial-arts master wanted...


Recommended Posts

Hello all, first post here on the forms... I am having an issue with my ufw rules on routing vpn traffic to/from my LAN. I followed the “OpenVPN from scratch” and changed the server.conf to allow LAN resource sharing over my tun0 connection. I included what I added in the server.conf file. If I disable the ufw service, I can successfully share my resources over my vpn connection. My issue is that, I lack the true ufw-fu... I have looked into the wild and found some iptables rules that look solid, but I do not yet have the experience to translate them into a usable ufw format... I want to learn and know this is platform.

 

———————MyConfigs———————

nano server.conf

 

dh2048.pem

dev tun

topology subnet

10.8.0.0 255.255.255.0

redirect-gateway

DNS

(change DNS addresses to google) 8.8.8.8 8.8.4.4

nobody (user and group)

push "route 192.168.1.0 255.255.255.0"

save

 

nano /etc/sysctl.conf

uncomment net.ipv4.ip_forward

save

 

ufw allow 1194/udp

 

nano /etc/default/ufw

change DEFAULT_FORWARD_POLICY="ACCEPT"

save

 

nano /etc/ufw/before.rules

 

add the follow toward the top:

*nat

:POSTROUTING ACCEPT [0.0]

-A POSTROUTING -s 10.8.0.0/8 -o ens33 -j MASQUERADE

COMMIT

save

 

ufw status

ufw enable

y

ufw status

 

https://m.youtube.com/watch?v=XcsQdtsCS1U&autoplay=1

———————MyConfigs———————

 

———————FromTheWild———————

# Allow traffic initiated from VPN to access LAN

    iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT

 

    # Allow traffic initiated from VPN to access "the world"

    iptables -I FORWARD -i tun0 -o eth1 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

 

    # Allow traffic initiated from LAN to access "the world"

    iptables -I FORWARD -i eth0 -o eth1 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT

 

    # Allow established traffic to pass back and forth

    iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 

    # Notice that -I is used, so when listing it (iptables -vxnL) it

    # will be reversed.  This is intentional in this demonstration.

 

    # Masquerade traffic from VPN to "the world" -- done in the nat table

    iptables -t nat -I POSTROUTING -o eth1 -s 10.8.0.0/24 -j MASQUERADE

 

    # Masquerade traffic from LAN to "the world"

    iptables -t nat -I POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE

 

https://community.openvpn.net/openvpn/wiki/BridgingAndRouting

———————FromTheWild———————

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...