When using a local VPN server, it is advisable to segregate internal and external network traffic over the different interfaces. Usual configuration is to have internal traffic over eth0 and external traffic over tun0.
To ensure that external traffic does not go over the wrong interface, use the following rules (change internal network address range and target VPN port as needed)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | echo "*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Allow loopback (lo) traffic -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Allow ping and ICMP error returns -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow local network traffic -A INPUT -s 255.255.255.255/32 -j ACCEPT -A OUTPUT -d 255.255.255.255/32 -j ACCEPT -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT # Allow DNS resolution -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT # Allow SSH -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # Allow UDP traffic on port 1194 (OpenVPN) -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT # Allow tunX interface traffic -A INPUT -i tun+ -j ACCEPT -A FORWARD -i tun+ -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT # Drop anything else -A INPUT -j DROP -A FORWARD -j DROP -A OUTPUT -j DROP COMMIT " > /tmp/iptables.tmp sudo iptables-restore < /tmp/iptables.tmp rm /tmp/iptables.tmp |
To make the rules permanent, follow the instructions in Make IPTables Rules Permanent.
Also, ensure that the ufw service is disabled as its rules can override those above and permit application access over the incorrect interface
1 | sudo update-rc.d ufw remove |