LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-29-2020, 12:36 AM   #1
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 4,421
Blog Entries: 7

Rep: Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535
OpenVPN & firewall rules for mobile "road warrior" type setups


Hi Gang,

I'm hoping you guys can offer some tips or advice about setting up iptables for use with OpenVPN.

We have a hardware firewall which blocks all incoming traffic, except for port 1194 (udp) which is forwarded to our OpenVPN server (running Linux).

Our OpenVPN server is set up to require PKI (we used EasyRSA on an unconnected computer to generate the keys), TLS authentication/HMAC filter, and AES 256 bit cipher.

We're seeing strange IP addresses in the logs attempting to authenticate (and failing)... not being hammered, just one-off "pings" every 5 or 6 hours or thereabouts.

So I'd like to set up iptables properly on the server. I've already set it up to drop packets from all networks using the first two octets of the IP addresses we've seen so far.

The question I have is this: We have mobile staff who regularly connect to the VPN using mobile devices (i.e: mostly 4G). I don't know that much about the inner workings of 4G, but I assume that their IP addresses will be constantly changing. So the question is: How do we write rules which will allow them to connect and block the rest of the world?

I'd greatly appreciate any pointers.

Happy Friday & have a nice weekend!
 
Old 05-29-2020, 12:48 AM   #2
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053
A really good tutorial for iptables:
https://wiki.archlinux.org/index.php...teful_firewall
 
1 members found this post helpful.
Old 05-29-2020, 07:56 PM   #3
tinfoil3d
Member
 
Registered: Apr 2020
Location: Japan/RJCC
Distribution: debian, lfs, whatever else i need in qemu
Posts: 268

Rep: Reputation: 75
Check out whois for their ips to determine the subnets they might be coming from and add those to permit rules.
OR more wise solution, change port to non-standard one above 10k.
 
1 members found this post helpful.
Old 05-29-2020, 08:17 PM   #4
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,779

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
FWIW, I have a script on a gateway router that detects failed vpn connection attempts captured in the logs and subsequently adds those source addresses to a blacklist, and such packets are then dropped. Helps me sleep at night.

Last edited by ferrari; 05-29-2020 at 08:18 PM.
 
1 members found this post helpful.
Old 05-30-2020, 01:33 AM   #5
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 4,421

Original Poster
Blog Entries: 7

Rep: Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535
Quote:
Originally Posted by ferrari View Post
FWIW, I have a script on a gateway router that detects failed vpn connection attempts captured in the logs and subsequently adds those source addresses to a blacklist, and such packets are then dropped. Helps me sleep at night.
Hey Mr. Ferrari, would you care to share your script?
 
Old 05-30-2020, 04:15 AM   #6
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,779

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
Mine is for a Mikrotik router, and designed to trawl through a log for failed connection attempts (PPTP and IPSec).

Below is a how to for using fail2ban on a Linux OpenVPN server that might be of more value to you...

https://www.fail2ban.org/wiki/index....n_with_OpenVPN
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] /etc/udev/rules.d/40-libsane.rules and /etc/udev/rules.d/S99-2000S1.rules missing LABEL=libsane_rules_end mumahendras3 Slackware 6 03-09-2020 02:27 AM
Not your average "road warrior" namopereht LinuxQuestions.org Member Intro 3 09-01-2009 04:22 PM
Mandriva Wireless Road Warrior schuelerj Linux - Wireless Networking 0 10-18-2005 12:08 PM
Road Warrior needs to switch from wireless to modem to NIC shepper Linux - Wireless Networking 1 11-18-2004 03:06 PM
Linux frees/wan server with Windows road warrior clients Soma Linux - Security 1 11-19-2003 02:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration