I have got openvpn running on my system with certificates and open to the IP addresses 17.xx.xx.x on the server.
What should I definitely block off from the system so that anyone using the VPN cannot gain access and how should I go about this in the firewall?

I'm guessing to block off intranet access to the webserver.
I have mysql and some mail programs running as well - how can I block those off?

I'm sorry I don't understand what are you trying to do here. You set up the VPN for what? Who are the clients using it and what do you want the clients to use?

When you answer this question of mine, you've also answered your own - you should block everything else - everything you don't want your users to access.

True, it was more about how to go about blocking them, ie the VPN gives clients a 17.x.x.x address, do I block those and do I block ports or what?

The VPN is for clients to connect through so that they get the VPN IP address and can access email from their client, go out to the internet, etc. - it is not a VPN in the typical sense that they are using it to access network folders on the VPN server.
I don't want the client accessing anything on the server at all...just the ability to transmit traffic through it so that the destination websites or servers think they have a different IP much like a proxy server does.
So, do I simply block off access from 17.x.x.x to the localhost network?
I can't block access from 17.x.x.x to the server IP 88.xxx.xxx.xxx because then they couldn't access anything.

Right. When the client is connected to the VPN, he is just connected to a network. A virtual network to be precise. He is not really "on the server" in the sense that he would be allowed to read the server's filesystem or execute any processes.

You need to configure the server to give this "virtual network" special rights e.g. NAT connections from the virtual network so they appear as coming from the server and so on.

I don't think that there is anything to block. You are just allowing more permissions to this virtual network than to the "internet" network. What you don't allow will be blocked by default as is blocked for the "internet" network.

Or am I missing something. Can you give me a specific example about what would you like to block?

Ok.
Let me list the current iptables to give an idea of what is currently blocked an accessible.
The VPN is the tun/tap
I also have some routing setup, the 17.x addresses are the VPN network:
Basically, I just want to ensure that the VPN client has no ability to access the localhost services such as mysql, httpd, postfix, etc.
I realise they will not have command line access to these resources but there might be some localhost things on the webserver like squid cache manager access that they should not have access to. I guess the mysql doesn't matter as it still needs password access.

Did you mean to say that the client IP addresses are 172.16-31.xxx.xxx?
17.xxx.xxx.xxx is in the public IP range.

err...yes
172.16.x.x

If the service is listening on the localhost interface (127.0.0.1), they will not have access (such as squid cache mgr).

If the service is listening on all interfaces (such as httpd, postfix) they will have access, the same access as anyone on the internet - e.g. they will be able to look at your public web-site and send you e-mail.

If I were you, I would write a list of all services (start with output of 'netstat -tlpn') and decide whether you want to allow access or not. And update your firewall script accordingly (the lines that are currently -i tun+ -j ACCEPT)

Sounds fair?

These are the current services.
I don't mind them sending me email, just that I wasnt to stop a spammer accessing the VPN and using the email server to send junk.
These are the current connections:

So I would add a line blocking the ports?
so if source was 172.16.x.x.x DENY to port 3306 (mysql)?

They will not unless you add the 172.16.0.0/24 network to postfix "mynetworks" list.

The guys over at the security forum wouldn't approve

Don't specifically block individual ports and allow everything else. Rather allow what you need allowed and block everything else.

So instead of
put something like
for each service you need allowed for the VPN users in addition to what is already allowed for the internet network. Everything else will be filtered as if it came from the untrusted internet.

The lines
will still allow the desired "NAT" effect - e.g. packets from the VPN will be routed through your server.

R.

That's partially the problem with VPNs and allowing clients running programs on their computers.
They might have a bit of MSN messenger, some random progra using port 1023456 blah blah
You almost have to allow everything and only block what you know.

So, could I do this in a kind of non approving security way because I need to have most ports open:

-A INPUT -i tun+ -m tcp --dport 3306 -j DROP
-A INPUT -i tun+ -m tcp --dport 843 -j DROP
-A INPUT -i tun+ -m tcp --dport 111 -j DROP
-A INPUT -i tun+ -m tcp --dport 5555 -j DROP
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT

While I'm at this, do I really need these services running?
rpc.statd
portmap
python
cupsd
master

Also, I have sshd open to the internet but blocked using a pseudo flood protection:
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP

In the iptables script above, if someone logged into the vpn, would this bypass the flood protection?