-
7/30/2019 Hardening Your VPN Setup With Iptables
1/4
InputOutput.io
The free-thinkin free-speakin rabble-rousin geek.
HomeContact
Pages
Contact
Archives
January 2013July 2012June 2012July 2011January 2011July
2010January 2010November 2009April 2009March 2009February
2009November 2008July 2008June 2008May 2008
Jul 14 2011
Hardening your VPN Setup with iptables
Category: Hacks, How-Tos | Tags :iptables, openvpn, routes,
security, SSL,vpn | NoComments
Ill be heading out to Defcon 19 next month, so I want my VPN
connection to be stableand secure.
You probably know the situation. Youre at your local coffee
shop, using their (hopefully
dening your VPN Setup with iptables - InputOutput.io
http://www.inputoutput.io/hardening-your-vpn-setup
4 06/05/1
-
7/30/2019 Hardening Your VPN Setup With Iptables
2/4
not) wide-open unsecured wifi hotspot. But youre smart enough
not to send all your dataout over the clear, since there might be
malicious script kiddies ready to take yoursensitive data and sell
it to kids on the street. So you use a VPN. You fire up OpenVPNand
connect to your VPN service. Then you start browsing, comforted by
the fact thatyour traffic is encapsulated in a secure SSL tunnel.
Better yet, the user experience istransparent: you dont have to
configure your applications to manually use a SOCKS5proxy. OpenVPN
handles your routing tables and creates a virtual interface using
the tunmodule. Its so simple, you dont need to think about it. But
theres a problem with thissetup.
No one can reach into your stream and extract or insert data,
but theres a caveat.Anyone can destroy your TCP stream by sending
you a spoofed RST packet from theremote server, or otherwise making
the service unavailable to you. Destroying the TCPstream destroys
the virtual (tun) interface, which, in turn, destroys the routes
associatedwith that interface. Now youre using your physical
interface unprotected from thosepesky hackers. Worse still, you
dont realize it. Not a thing has changed from theperspective of
user experience. Since everything is transparent, you dont notice
anychange at all. Now youre screwed.
Little did you know that this all could have been avoided by our
friend iptables. Sure, youcould modify your routes further to
ensure that only traffic going to the remote servergoes over your
physical interface, but thats too easy. Plus, routing tables arent
intendedfor security, theyre inteded to move packets along.
iptables seems like the tool for thetask, so I modified a script I
found here to make sure that we disallow any traffic that wedont
want:
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# name of primary network interface (before tunnel)
PRIMARY=wlan0
# address of tunnel server
SERVER=seattle.vpn.riseup.net
# address of vpn server
VPN_SERVER=seattle.vpn.riseup.net
# gateway ip address (before tunnel - adsl router ip
address)
# automatically determine the ip from the default route
GATEWAY=`route -n | grep $PRIMARY | egrep "^0\.0\.0\.0" | tr -s
" " | cut -d" " -f2`
# provided by pppd: interface name
TUNNEL=tun0
openvpn --config /my/path/to/riseup.ovpn --auth-user-pass
/my/path/to/authentication.conf &
# iptables rules - important!
#LOCAL_NET=192.168.0.0/16
LOCAL_NET=$GATEWAY
# Flush all previous filter rules, you might not want to include
this line if you already have other r
iptables -t filter --flush
dening your VPN Setup with iptables - InputOutput.io
http://www.inputoutput.io/hardening-your-vpn-setup
4 06/05/1
-
7/30/2019 Hardening Your VPN Setup With Iptables
3/4
iptables -t filter -X MYVPN
iptables -t filter -N MYVPN
# Exceptions for local traffic & vpn server
iptables -t filter -A MYVPN -o lo -j RETURN
iptables -t filter -A MYVPN -o ${TUNNEL} -j RETURN
iptables -t filter -A MYVPN --dst 127.0.0.1 -j RETURN
iptables -t filter -A MYVPN --dst $LOCAL_NET -j RETURN
iptables -t filter -A MYVPN --dst ${SERVER} -j RETURN
iptables -t filter -A MYVPN --dst ${VPN_SERVER} -j RETURN
# Add extra local nets here as necessary
iptables -t filter -A MYVPN -j DROP
# MYVPN traffic leaving this host:
iptables -t filter -A OUTPUT -p tcp --syn -j MYVPN
iptables -t filter -A OUTPUT -p icmp -j MYVPN
iptables -t filter -A OUTPUT -p udp -j MYVPN
echo "nameserver 8.8.8.8" > /etc/resolv.conf
Youll want to modify the openvpn command, interfaces, and
servers to meet your needs.And thats it! If your stream is taken
down, you have these rules to protect you. I havethis script as a
post-connect hook for any untrusted networks I connect to (wicd is
a nicenetwork manager for adding hooks). Later, if you want your
traffic to go over the clearagain, you can use this script:
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
iptables -t filter --flush
iptables -t filter -X MYVPN
Respond to this post
Name (required)
Mail (will not be published) (required)
Website
dening your VPN Setup with iptables - InputOutput.io
http://www.inputoutput.io/hardening-your-vpn-setup
4 06/05/1
-
7/30/2019 Hardening Your VPN Setup With Iptables
4/4
Submit Comment
2013 InputOutput.io | Theme wpBurn Blue by wpburn.com
dening your VPN Setup with iptables - InputOutput.io
http://www.inputoutput.io/hardening-your-vpn-setup
4 06/05/1
![[eBook] IpTables Tutorial](https://img.pdfslide.us/doc/110x75/54fed8954a7959f4248b550a/ebook-iptables-tutorial.jpg)
