Installing OpenVPN with Shorewall in Ubuntu – Part 2

If you haven’t go through the OpenVPN installation part, you can check in Part 1.

Now we have a client connected to the server with IP address 10.8.0.17. First we need to tell server to route incoming packets destined to internet through server’s public IP. Which we call NAT.

I’m using Shorewall to do the task which I’m comfortable with than managing iptables directly.

Installing Shorewall

sudo su
apt-get install shorewall
cd /etc/shorewall

Edit Shorewall config file enable IP Forwarding
nano shorewall.conf
IP_FORWARDING=On
Define zones
/etc/shorewall/zones
[box]
#ZONE     TYPE         OPTIONS       IN      OUT
#                                    OPTIONS OPTIONS
fw        firewall
net       ipv4
ovpn      ipv4
[/box]
fw is the server itself where openvpn server running
Assign interfaces to zones
/etc/shorewall/interfaces
The adapters present on the server need to be assigned to specific zones. net is defined to raoute all internet traffic in and out, therefor it’s assigned to eth0, and tun0 is assigned to ovpn (custom defined zone)
nano interfaces

[box]
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          blacklist,nosmurfs
ovpn    tun0            detect          routeback
[/box]
Basic Policy
/etc/shorewall/policy
A basic policy is defined to control the network traffic between the zones.
Traffic from the firewall to:

the internet is permitted
ovpn is permitted

Traffic from the ovpn (OpenVPN network) to:

another vpn client is permitted
the internet is permitted
the firewall is denied

Traffic from the internet to:

the firewall is denied
ovpn is denied

Any traffic not defined in any of the zones (either by accident or purposely) will be rejected
[box]
#SOURCE   DEST     POLICY   LOG   LIMIT:    CONNLIMIT:
#                           LEVEL BURST     MASK
# From Firewall Policy
fw        fw       ACCEPT
fw        net      ACCEPT
fw        ovpn     ACCEPT
# From OpenVPN Policy
ovpn      ovpn     ACCEPT
ovpn      net      ACCEPT
ovpn      fw       DROP     info
# From Net Policy
net       fw       DROP     info
net       ovpn     DROP     info
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
[/box]
Custom Rules
/etc/shorewall/rules
The policy that we defined earlier is applied globally. But whatever rules we define in the rules simply overrides the policy rules. So we allow SSH, OpenVPN and Ping incoming traffics.
[box]
#ACTION     SOURCE  DEST  PROTO  DEST      SOURCE      ORIGINAL    RATE
# Permit access to SSH
SSH/ACCEPT  net     fw    -      -         -           -           6/min:5
# Permit access to OpenVPN server
ACCEPT      net     fw    udp    1194
# PING Rules
Ping/ACCEPT all all
# LAST LINE -- DO NOT REMOVE
[/box]
Outgoing Traffic
/etc/shorewall/masq
Since OpenVPN clients get private 10.8.0.0/24 IP address. It needs to be translated to the eth0 IP address (NAT).
[box]
#INTERFACE   SOURCE   ADDRESS         PROTO   PORT(S)  IPSEC   MARK
eth0         10.8.0.0 <eth0IPAddress>
# LAST LINE -- DO NOT REMOVE
[/box]
Now everything is setup. Before you start the server you can use the nice shorewall try command to check the things are in place without locking yourself down.
[box]shorewall try /etc/shorewall 60[/box]
If success you can enable the daemon and start the service Edit /etc/default/shorewall and change startup=0 to startup=1
[box]shorewall start[/box]