W dniu 2020.03.18 o 17:39, Robert K Coffman Jr. -Info From Data Corp. pisze:
Not an answer to your question, but a suggestion.
Use tls-auth in your OpenVPN configuration.
https://openvpn.net/community-resources/hardening-openvpn-security/
Any packet not signed will just get dropped. Seems a lot easier to
manage.
- Bob
Thank you Bob for your lightspeed suggestion :-)
I use tls-auth on my OpenVPN gateway setting my configs as is suggested
in the OpenVPN hardening guide.
Best regards
Witold
On 3/18/2020 12:23 PM, Witold Tosta wrote:
Is it possible to filter incoming connections using the GeoIP module
for the OpenVPN gateway located on the Linux Shorewall router?
From what I noticed, the entry in the /etc/shorewall/tunnels file:
#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver: 1194 net 0.0.0.0/0
implies opening the udp/1194 port to the internet on which the
OpenVPN service is listening, regardless of whether the appropriate
permitting entry appears in /etc/shorewall/rules file. My point is to
allow connections to the OpenVPN gateway from a given country using
the GeoIP module, e.g.
# Accept OpenVPN gateway access only from PL
OpenVPN(ACCEPT) net:^[PL] $FW
From what I've read, Tom Eastep is planning to withdraw the use of
the tunnels file for the rules file, where the syntax shown above
will probably be accepted by the Shorewall Firewall.
Could you, Dear Tom, respond to this?
Best regards
Witold Tosta
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
