On Sun, 2014-12-14 at 22:11 +0100, Stanislav Baiduzhyi wrote:
On Sunday 14 December 2014 21:57:38 Andrei Borzenkov wrote:
You will need to allow traffic to/from your VPN peer and to/from your VPN device; everything else can be blocked. You can limit VPN peer traffic to OpenVPN ports to be fully paranoid.
I tried to do that, here's what I came up with:
/usr/sbin/iptables -A OUTPUT -o eth0 -j REJECT /usr/sbin/iptables -A OUTPUT -o eth0 -p udp --dport 443 /usr/sbin/iptables -A INPUT -i eth0 -p udp --sport 443
But as soon as that script is executed the openvpn connection drops. Which is kind of obvious, but I cannot find proper solution in google... Any hints? :)
Normally openvpn works on port 1194, either on UDP or TCP. If you need th punch through a firewall, or through a proxy, you must use http-encapsulation, and thus needing TCP port 443, not udp. Furthermore, if you explicitly allow out-going https-traffic towards the vpn-server, you can user statefull incoming traffic. Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org