SoftEther VPN User Forum

SoftEther VPN User Forum
https://www.vpnusers.com/

Internal address vpn for ufw (firewall)

https://www.vpnusers.com/viewtopic.php?f=7&t=4784

Page 1 of 1

Internal address vpn for ufw (firewall)

Posted: Sat Jun 20, 2015 3:41 pm
by StanislavK
Hello. Help me to solve the problem. Installed softether on vps (ubuntu 14), set up by localbridge, everything works. Configured ufw (firewall). I want to ssh to be able to connect only after the connection of vpn (in ufw make the filter to the internal address dhcp vpn). But there is no connection. I looked in the logs ufw, is blocking, because ufw see my wan ISP address (not internal address vpn or external address vpn). I can not find how to fix it. Thanks for the help.

Re: Internal address vpn for ufw (firewall)

Posted: Sat Jun 20, 2015 4:05 pm
by kh_tsang
I don't recommend this because you may went into problem if the vpn server crashes. If you have static IP, I think you should directly put your IP into the firewall. Otherwise, use the external firewall provided by the VPS provider so that you can add a firewall rule allowing your IP when you use the ssh and remove the rule after use.

Re: Internal address vpn for ufw (firewall)

Posted: Sat Jun 20, 2015 5:17 pm
by StanislavK
Thanks for the advice. In addition to the ssh server there is a service that can be accessed only VPN's users.

Re: Internal address vpn for ufw (firewall)

Posted: Sun Jun 21, 2015 1:38 am
by kh_tsang
You may use tap device and assign static IP to it.

Re: Internal address vpn for ufw (firewall)

Posted: Sun Jun 21, 2015 9:54 am
by StanislavK
Hello. Hello. Thanks for the answer. Please suggest how to do it, I unfortunately only starting to understand. Here is my configuration:

ifconfig:
eth0 Link encap:Ethernet HWaddr 02:00:00:0b:56:25
inet addr:149.202.136.25 Bcast:149.202.136.25 Mask:255.255.255.255
inet6 addr: fe80::ff:fe0b:7615/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:225165 errors:0 dropped:0 overruns:0 frame:0
TX packets:215388 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52659957 (52.6 MB) TX bytes:55214766 (55.2 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:906840 errors:0 dropped:0 overruns:0 frame:0
TX packets:906840 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:80771058 (80.7 MB) TX bytes:80771058 (80.7 MB)

tap_soft Link encap:Ethernet HWaddr 00:ac:fd:35:42:5b
inet addr:192.168.7.1 Bcast:192.168.7.255 Mask:255.255.255.0
inet6 addr: fe80::2ac:fdff:fe35:427b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:234186 errors:0 dropped:0 overruns:0 frame:0
TX packets:107663 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:26655604 (26.6 MB) TX bytes:21447057 (21.4 MB)


ufw status
Status: active

To Action From
-- ------ ----
67 ALLOW Anywhere
53 ALLOW Anywhere
500 ALLOW Anywhere
4500 ALLOW Anywhere
1541/tcp ALLOW 149.202.136.25
1541/tcp ALLOW 192.168.7.0/24
67 (v6) ALLOW Anywhere (v6)
53 (v6) ALLOW Anywhere (v6)
500 (v6) ALLOW Anywhere (v6)
4500 (v6) ALLOW Anywhere (v6)


iptables -t nat -L POSTROUTING --line-numbers
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 192.168.7.0/24 anywhere
2 MASQUERADE all -- anywhere anywhere
3 MASQUERADE all -- 192.168.7.0/24 anywhere
4 MASQUERADE all -- 192.168.7.0/24 anywhere
5 MASQUERADE all -- 192.168.7.0/24 anywhere
6 MASQUERADE all -- 192.168.7.0/24 anywhere
7 MASQUERADE all -- 192.168.7.0/24 anywhere
8 SNAT all -- 192.168.7.0/24 anywhere to:149.202.136.25


In /etc/ufw/before.rules I tried, but failed:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.7.0/24 -o tap_soft -j MASQUERADE
COMMIT

Thanking you in advance.

Re: Internal address vpn for ufw (firewall)

Posted: Sun Jun 21, 2015 2:51 pm
by kh_tsang
I don't know how to use ufw, but I would use iptables-persistent instead of ufw.

I assume you filter traffic at the external firewall for traffic from the internet.

sudo su
apt-get remove ufw
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -N vpn_input
iptables -A -i tap_soft -j vpn_input
iptables -A vpn_input -p tcp --dport <tcp port that you want to allow> -j ACCEPT
...
iptables -A vpn_input -p udp --dport <udp port that you want to allow> -j ACCEPT
...
iptables -A vpn_input -p <custom protocol number that you want to allow> -j ACCEPT
...
iptables -A vpn_input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A vpn_input -j DROP <-- Drop other traffic, you may use REJECT if you want(this rule must be the last in the vpn_input chain)

Choose one from 1 and 2:
1. iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o eth0 -j SNAT --to-source 149.202.136.25
2.iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE

apt-get install iptables-persistent
iptables-save > /etc/iptables/rules.v4

Re: Internal address vpn for ufw (firewall)

Posted: Mon Jun 22, 2015 8:32 pm
by StanislavK
kh_tsang, thank you very much. I'll try your way, if it does not deal with ufw. Have a nice day. Thanks again.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/