how to allow tun/tap device in firewall?
 

hello,
i'm using suse 9.3 with firewall enabled.
openvpn could connect to each other successfully, but i can't ping each other, except
when i stop the firewall in each computer.
i want to know how to open tap/tun device in firewall to solve this.
or do any of you have other solution?

thank you very much

simply allow anything from the subnet you use for openvpn
ie: openvpn will hand out 10.0.5.x addesses
add on the client / server
on any routers inbetween
if the OUTPUT chain of the pc's is restricted add a rule there too

once that works you can start restricting, ie. DROP certain ports, etc


you couldl also post your iptables here for us to help you somewhat better.

hi, thanks for reply
i did something about it yesterday, but i think it's not the right solution, because now i saw the summary
of the firewall about "internal network is not protected". what i did yesterday are:

in the susefirewall_custom file, i added the lines:
and in susefirewall2 file, i added the lines
the vpn connection are connected, and i can ping each other now,
but i'm affraid that there will be security breach on the firewall

i will try your suggestion, and thank you for that,
btw, do you know more about openvpn?

btw,
you want me to post the iptables list here,
how can i do that? i mean, i don't know the command to do that,
thanks

iptables -L
or
iptables-save

about openvpn - i use it on a daily bases

hi, thx for the reply,
the iptables seems so large, but here it is:

well, i have so much to ask about openvpn. at first i used openvpn in windows, but then i turned to
hate windows, so i have to use linux.

you need to allow traffic from tap0/tun0 depending on what you are using
or allow the subnets.

you could send me you iptables-save -t filter

also: i personally would advise you to use iptables directly rather than a gui, since this will give you a lot more understanding of what is going on, and how your firewall works (only in case you are up for that)
read: http://iptables-tutorial.frozentux.n...-tutorial.html

also: you can clear out your firewall, and slowly add things in again, this would tell you which rules need adding/moving/modifying

hi, this is my iptables-save -t list,
i still can't figure out what this all about

btw, i used the firewall gui to set the firewall and the tun0 device, but in the summary it
states that device not found or something,
thanks again

that is your firewall man! reading your rules can solve the prob.
i take it these are your client rules right?
could you tell me what version of openvpn you are running, if you are using tun adaptors or tap adapter and
the port openvpn is using, and the protocol?

for this you can look in your openvpn config file for
1. port
2. proto
3. dev

also perhaps you could post following from your server

iptables-save -t filter

hi,
wow, you're really fast, and yes that was from the client

i'm using openvpn 2.0, and i installed it by doing rpmbuild first

port 1194
proto udp
dev tun

btw, i did something to the server.conf file (i post it below too), and now i could ping the server's internal
ip. almost forgot, the client internal lan is 192.168.2.0/255.255.255.0, the server internal lan is
192.168.1.0/255.255.255.0. when connected, there will be new ip for tun0 in server which is 192.168.3.1
and for the client 192.168.3.6 (stated in server.conf and client.conf)
right now, the client could ping server's internal ip (192.168.1.4) but the server could not ping client's
internal ip (192.168.2.4), and the manual says that i have to enable ip forwarding so the lan from client could
access the lan in server and vice versa, but i don't know how to enable ip forwarding

server.conf
client.conf
the iptables-save from server:
btw, if I want to change any of above firewall settings, which file must i edit?

thank you for your help

on server: you can kick out the line for tcp traffic on port 1194, this is not needed since your ovpn server is listening to udp protocol.
i would set openvpn to use the tap addapter
just change tun to tap in both config files
you enable ipforwarding by
echo 1 > /proc/sys/net/ipv4/ip_forward
disable ipforwarding by replacing the 1 with a 0 (zero)

you need rules in your forwarding table which allows traffic between eth0 eth1 AND tun0 (of if you should chagne from tun to tap, you need rules to allow from eth0 eth1 and tap0)

seriously, read this document (pick the topics you want to read) and run the suff yourself
http://iptables-tutorial.frozentux....s-tutorial.html

hi,
i changed the configuration in server.conf and client.conf according to your
suggestion, and i will try it right away,
btw, from the openvpn manual, it says that to use bridging, then i have to
"bridge" the eth0 and tap0, i don't understand about this in linux, as in windows
it's so easy, but, no more windows.
thanks,

bridging and routing are 2 different things
when you bridge, you are basically making a switch
eth0 and tap0 do not have the addresses anymore, but the bridge will (this divice is then called br0) have one address.
how it works is really simple and easy to get your head around.

i have used both, bridging and routing in an openvpn environment
successfully