Tunnel Your Internet Traffic Through an OpenVPN Server
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
This guide will show you how to configure an OpenVPN server to forward incoming traffic to the internet, then route the responses back to the client.
Commonly, a VPN tunnel is used to privately access the internet, evading censorship or geolocation by shielding your computer’s web traffic when connecting through untrusted hotspots, or connections.
Before You Begin
This guide is the second-part of a three-part series on setting up a hardened OpenVPN environment. The guide assumes that you already have an OpenVPN server running. If you do not: complete part one of the series: Set Up a Hardened OpenVPN Server with Debian. If you found this page looking for information about VPN client device configuration, see Part Three: Configuring OpenVPN Client Devices.
OpenVPN Configuration
OpenVPN’s server-side configuration file is: /etc/openvpn/server.conf, and requires editing to optimize its efficiency.
Switch from your standard user account to the
rootuser:sudo su - rootSet OpenVPN to push a gateway configuration, so all clients send internet traffic through it.
cat >> /etc/openvpn/server.conf << END # Clients are to use this server as a network gateway. push "redirect-gateway def1 bypass-dhcp" ENDPush DNS resolvers to client devices. OpenDNS is provided by OpenVPN’s
client.ovpntemplate file.cat >> /etc/openvpn/server.conf << END # Push these DNS addresses to clients. push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" END
Append Networking Rules
In Part One of this series, we set iptables rules so the OpenVPN server could only accept client connections, SSH, and make system updates, all over IPv4. IPv6 was disabled since OpenVPN doesn’t support using both transport layers simultaneously. Leaving IPv6 disabled here prevents leaking v6 traffic which would otherwise be sent separately from your VPN’s v4 tunnel.
Blank the v4 ruleset that you created in part one of this series.
true > /etc/iptables/rules.v4Create a new IPv4 rule file using the ruleset below. The path
/etc/iptables/rules.v4assumes Debian or Ubuntu withiptables-persistentinstalled.- File: /etc/iptables/rules.v4
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54*filter # Allow all loopback (lo) traffic and reject traffic # to localhost that does not originate from lo. -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT -A OUTPUT -o lo -j ACCEPT # Allow ping and ICMP error returns. -A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p icmp -j ACCEPT # Allow SSH. -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED --dport 22 -j ACCEPT # Allow UDP traffic on port 1194. -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT -A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --dport 1194 -j ACCEPT # Allow DNS resolution and limited HTTP/S on eth0. # Necessary for updating the server and keeping time. -A INPUT -i eth0 -p udp -m state --state ESTABLISHED --dport 53 -j ACCEPT -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --dport 53 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --dport 80 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --dport 443 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT # Allow traffic on the TUN interface. -A INPUT -i tun0 -j ACCEPT -A FORWARD -i tun0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT # Allow forwarding traffic only from the VPN. -A FORWARD -i tun0 -o eth0 -s 10.89.0.0/24 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Log any packets which don't fit the rules above... # (optional but useful) -A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 4 -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 4 -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: " --log-level 4 # then reject them. -A INPUT -j REJECT -A FORWARD -j REJECT -A OUTPUT -j REJECT COMMIT
Import the new ruleset:
iptables-restore < /etc/iptables/rules.v4Apply the routing rule so that traffic can leave the VPN. This must be done after
iptables-restorebecause that directive doesn’t take a table option:iptables -t nat -A POSTROUTING -s 10.89.0.0/24 -o eth0 -j MASQUERADESave the currently loaded rules with
iptables-persistent:dpkg-reconfigure iptables-persistentThe kernel must then be told it can forward incoming IPv4 traffic:
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/99-sysctl.confActivate the sysctl change:
sysctl -pRestart OpenVPN and exit the
rootuser account:systemctl restart openvpn* exit
Next Steps
Server-side configuration is complete but now the VPN clients need to be set up. Move on to part three: Configuring OpenVPN Client Devices.
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This page was originally published on