Setting up ip rules for OpenVPN server - don't forget internal routes.

When adding iptables rules for an OpenVPN server, dont forget the internal routing. Some instructionals expect all packets leaving from the OpenVPN subnet to go to the internet facing interface. However that leaves out a couple of cases.

The cases are:

(1) From the OpenVPN subnet to the host address itself, e.g.

`… -i tun0 -d nnn.nn.nnn.nn -j ACCEPT

(2) From the OpenVPN subnet back to the subnet, when two vpn clients are talking to each other, e.g., -

... -i tun0 -o tun0 -j ACCEPT

All the internal cases would be covered by

... -i tun0 -j ACCEPT


iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s -j SNAT --to

Digital Ocean

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
sudo ufw allow 1194/udp

More detailed rules

These are the extra rules I added for OpenVPN -

iptables -N vpn-ipt-hook
iptables -N vpn-ipt-hook-acc
iptables -N vpn-ipt-hook-log1194
iptables -A INPUT -j vpn-ipt-hook
pitables -A -p udp -m udp --dport 1194 -j ACCEPT

iptables -A vpn-ipt-hook -p udp --dport 1194 -j vpn-ipt-hook-log1194
iptables -A vpn-ipt-hook ! -i tun0 -j RETURN
iptables -A vpn-ipt-hook -d -j vpn-ipt-hook-acc
iptables -A vpn-ipt-hook -o tun0 -j vpn-ipt-hook-acc
iptables -A vpn-ipt-hook-acc -m limit --limit 10/min --limit-burst 10 -j LOG --log-prefix "[VPN ipt-hook ACCEPT] "
iptables -A vpn-ipt-hook-acc -j ACCEPT
iptables -A vpn-ipt-hook-log1194 -m limit --limit 10/min --limit-burst 10 -j LOG --log-prefix "[VPN ipt-hook-log1194] "

iptables -N vpn-fwd-hook
iptables -N vpn-fwd-hook-acc
iptables -A FORWARD -j vpn-fwd-hook

iptables -A vpn-fwd-hook ! -i tun0 -j RETURN
iptables -A vpn-fwd-hook -o eth0 -j vpn-fwd-hook-acc
iptables -A vpn-fwd-hook-acc -m limit --limit 10/min --limit-burst 10 -j LOG --log-prefix "[VPN fwd-hook ACCEPT] "
iptables -A vpn-fwd-hook-acc -j ACCEPT

# add masquerade rule
iptables -t nat -N vpn-masq
iptables -t nat -A POSTROUTING -s -o eth0 -j vpn-masq
iptables -t nat -A vpn-masq -m limit --limit 10/min --limit-burst 10 -j LOG --log-prefix "[VPN masq] "
iptables -t nat -A vpn-masq -j MASQUERADE