[:en]Anyone hosting internal critical services today is well advised to protect them properly behind a firewall. Linux usually does a pretty good job at that—at least if your bandwidth requirements aren’t too excessive. It is a very good idea to use a graphical tool to create a ruleset, instead of writing iptables rules manually, and fwbuilder tends to get the job done quite nicely.
On the other hand, employees need access to internal information when they are on the road. OpenVPN is a great open source tool to enable this scenario, with nice clients for all major operating systems. New keys are easily generated, and with a bit of scripting, setting up a new laptop for a road worker becomes really trivial.
Is it a good idea to host the OpenVPN service on the firewall itself? In my opinion: yes. The two tasks—firewalling and VPN—are conceptually the same: Regulating network traffic from and to internal machines. Moreover, hosting the VPN access point on the firewall has the added benefit of being able to distinguish individual VPN clients at the firewall before any NAT kicks in.
However, I was seeing major issues with this setup. In particular, my VPN clients could connect just fine, but no packets could traverse the firewall. No matter what rule I added, and how lenient the firewall was set, packets disappeared right after exiting the VPN tunnel—no matter whether NAT was active or not. The strangest symptom I got: Even after flushing all rules, access was still not possible for the VPN clients. Only when the machine was restarted, and before the firewall was reinstated, did VPN work. So the problem was apparently not with VPN, but with the firewall. But I just couldn’t find the problem. It was driving me mad!
It took me literally ages to find out that fwbuilder actually deletes old routes on the host when it is asked to install additional ones. This included an apparently vital OpenVPN route that was unintuitively set to use X.X.X.2 as the gateway. Must be some kind of default config—I’m pretty sure I never touched that. The „2“ was also the reason that this change escaped my attention for so long.
Bottom line (TL/DR): fwbuilder is a really versatile tool. But check what it does to your network configuration. Changes are not limited to iptables![:]
2 Responses to [:en]OpenVPN + fwbuilder woes[:]