OpenVPN and iptables firewall rules [SOLVED]

[deboeck]

Hi,

I'm running an OpenVPN server to which different clients connect. When starting the OpenVPN service on the server, I use the 'up' parameter in the openvpn config file to add some rules to my firewall. The rules do the following:

1) Open the VPN port (1194) on my external interface.
2) Define which traffic is allowed through the created TUN interface.

This works fine. However, when shutting down the OpenVPN service, I'd like these rules to be removed. I tried doing this using the 'down' parameter, but it doesn't work because OpenVPN is running as user nobody. The results is that the rules are still present. When starting OpenVPN again, they are added a second time.

I thought of the following solutions to solve this problem:

1) Run OpenVPN as root. Last resort really, seems like a bad idea.
2) Create a new user openvpn, let OpenVPN run as that user and use sudo so the user can execute my firewall script as root. Anyone using this approach ?
3) Modify the /etc/init.d/openvpn script to add and remove the firewall rules.

Anyone else having this problem ? Suggestions are very welcome

Steven

[tuxmin]

As you resumed: #1 is a bad idea


I'd go for #3. One suggestion though: you could create a chain for your openvpn rules, then, upon startup simply flush/delete that chain first and insert your rules again. This would prevent the rules from multiplying.

Hth, Alex!!!
_________________
ALT-F4

[deboeck]

Thanks for the answer. I've already gone for solution 2 Seems to be working. Putting the VPN rules in a chain is a good idea though, thanks for that one.

Steven