Re: [Openvpn-users] how does openvpn client works (linux debian)

Sun, 16 Oct 2022 05:40:11 -0700 

Hi,

On Sun, Oct 16, 2022 at 12:42:32PM +0200, A.Péré wrote:
> i'm running linux debian 11 (linux mint lmde5) and my computers have
> been compromised. i'm trying to make a new setup and reinforce the
> security chain to escape the compromission, although i still struggle
> to identify at what osi layer the hack was done...anyway, my question
> is not about the hack but how openvpn client works, in particular how it
> interacts with my firewall settings:
> -i want to set iptables or nftables (if you have advice on which one
> to use btw i would also appreciate a feedback...) for my firewall and
> i'm wondering how openvpn client will handle my iptables/nftables config?

OpenVPN will not modify iptables/nftables.

> -does it use tun/tap interfaces and only make changes to ip route?

Yes.

> -will i need to set up a new iptables rule for my firewall to work
> properly on the tun interface if the answer is yes?

That depends on how your firewall is set up.

On my BSDs, my pf(4) firewall config applies to "LAN interface"
(here named bge0, rules like "pass out on bge0 to any keep state"),
so on a tun interface, default rules would apply (= drop all).

If you filter by source/destination IP, not by interface name, rules
will apply automatically to "all interfaces around".

> -finally, which traffic does openvpn client redirect (for example which
> interfaces, at which osi layer, how does it configure ip route if that
> is the way it works...)?

OpenVPN installs routes.  So, all traffic matched by those routes get
sent into the tun/tap interface.

This is actually nicely visible from the openvpn log at --verb 3 - it
logs everything that it modifies wrt interface config, routing, and
firewalls (= nothing in the log = nothing modified).

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to