Simple demo script for configuring openvpn firewalls on a TUN setup behind a local LAN router

openvpnfirewall.sh

#! /bin/bash

# README ---

# Below is a demo script for setting up an openvpn server. This is specifically configured for TUN setups and for setups where
# the VPN Server is located behind a router. The script contains additionaly a section for configuring what traffic can pass
# through the VPN and has simple setups so as to allow SSH connections to be made to the VPN server from within the local LAN
# network that the VPN server is being hosted within. Additionaly, routing has been included to allow DNS and DHCP protocols
# through the firewall so that the VPN server can operate within the local LAN.

# PRE-REQUISITS
# - Forwarding has been enabled on your server so that the FORWARD table rules will actualy work
# - OpenVPN is already configured and running on the VPN Server (this just makes testing easier)

# SETUP
# Simply change the variabled within the 'User Configuration' section so as to match your network and openvpn configuration.
# Then in terminal type: sudo ./openvpnfirewall.sh. Output will display as various steps are executed. The script will
# terminate once the firewall settings have complete

#DISCLAIMER
# This script is a demo / experiment and not recommended for industry / professional use. The following may contain unknown
# bugs or errors unknown to me ( comment them and I will update! ). USE AT YOU OWN DISCRETION

# END OF README ---


# -- USER CONFIGURATION --

echo "Defining User Variables"
IPTABLES="/sbin/iptables"
# -- names of the nics for the loopback, vpn and general internet of the vpn server
ILOOPBACK="lo"
IVPN="tun0"
IINTERNET="eth0"

# -- ip address of vpn within the hosting network
IPADDR="192.168.0.99"
# -- subnet of the vpn's network (ip range used for assigning IPs to connecting clients)
VPN_SUBNET="10.8.0.0/24"
# -- subnet of the network the vpn is hosted in
LAN_SUBNET="192.168.0.0/24"
# -- listening port of openvpn for new connections
VPN_SERVER_PORT="1234"

# -- ip to the dhcp server. This needs to be the same as configured in openvpn otherwise clients may not be able to ip resolve
DHCP_SERVER="192.168.0.1"

echo "User Variables Defined"

# -- END OF USER CONFIGURATION --


# -- FIREWALL RULES - DO NOT TOUCH --
SSH_PORTS="1020:65535"

BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"

PRIV_PORTS="0:1023"
UNPRIV_PORTS="1024:65535"

# -- END OF FIREWALL RULES --

# - Drop Everything
echo "Clearing Existing Firewall"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
echo "Clearing Complete"

# - Set Defaults
echo "Setting Default"
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP
echo "Defaults Have Been Set"


# -- Allow Loopback as a precaution
echo "Applying Loopback Policy"
$IPTABLES -A INPUT -i $ILOOPBACK -j ACCEPT
$IPTABLES -A OUTPUT -o $ILOOPBACK -j ACCEPT
echo "Loopback Policy Applied"

# -- Enable DNS

echo "Enabling DNS Functionality"
$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $IPADDR --sport $UNPRIV_PORTS --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $IINTERNET -p udp -d $IPADDR --sport 53 --dport $UNPRIV_PORTS -j ACCEPT
# -- In case there is error and must use TCP
$IPTABLES -A OUTPUT -o $IINTERNET -p tcp -s $IPADDR --sport $UNPRIV_PORTS --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $IINTERNET -p tcp -d $IPADDR --sport 53 --dport $UNPRIV_PORTS -j ACCEPT
echo "Enabled DNS Functionality"

# -- Enable DHCP

echo "Enabling DHCP Functionality"
# -- Initialization or rebinding
$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $BROADCAST_SRC -d $BROADCAST_DEST --sport 68 --dport 67 -j ACCEPT
# -- Incoming DHCP offer from other DHCP servers
$IPTABLES -A INPUT -i $IINTERNET -p udp -s $BROADCAST_SRC -d $BROADCAST_DEST --sport 67 --dport 68 -j ACCEPT
# -- Rules for lost lease or reboot for client
$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $BROADCAST_SRC -d $DHCP_SERVER --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $IINTERNET -p udp -s $DHCP_SERVER -d $BROADCAST_DEST --sport 67 --dport 68 -j ACCEPT

# -- Variances in DHCP Response
$IPTABLES -A INPUT -i $IINTERNET -p udp -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT
# -- -- Lease Renewal
$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $IPADDR -d $DHCP_SERVER --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $IINTERNET -p udp -s $DHCP_SERVER -d $IPADDR --sport 67 --dport 68 -j ACCEPT
echo "Enabled DHCP Functionality"


# -- Allow VPN Connections To Occur
echo "Creating VPN Forwarding Traffic Chain"
$IPTABLES -N vpn_forwarding_traffic


echo "Applying VPN Forwarding Policy"

# **********************************************************************************
# * -- INSERT DROP RULES HERE TO RESTRICT WHAT KIND OF TRAFFIC GOES THROUGH VPN -- *
# * -- ANYTHING NOT DROPPED WILL BE ACCEPTED IF VALID ETH->VPN OR VPN->ETH      -- *
# **********************************************************************************

# -- Example: Drop All HTTP Data
# $IPTABLES -A vpn_forwarding_traffic -p tcp --sport 80 -j DROP
# $IPTABLES -A vpn_forwarding_traffic -p tcp --dport 80 -j DROP
# -- End Of Example

# -- don't let vpn users use the router admin page 
$IPTABLES -A vpn_forwarding_traffic -d $DHCP_SERVER -p tcp --dport 80 -j DROP
$IPTABLES -A vpn_forwarding_traffic -s $DHCP_SERVER -p tcp --sport 80 -j DROP
$IPTABLES -A vpn_forwarding_traffic -d $DHCP_SERVER -p tcp --dport 443 -j DROP
$IPTABLES -A vpn_forwarding_traffic -s $DHCP_SERVER -p tcp --sport 443 -j DROP


# **********************************************************************************
# * -- END OF DROP RULES                                                        -- *
# **********************************************************************************


# - Stateful Routing Options - UNTESTED
#$IPTABLES -I FORWARD -i $IVPN -o $IINTERNET -s $VPN_SUBNET -m  conntrack --ctstate NEW -j ACCEPT #accept new connections
#$IPTABLES -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# - Stateless Routing Options
$IPTABLES -A vpn_forwarding_traffic -i $IVPN -o $IINTERNET -s $VPN_SUBNET -j ACCEPT
$IPTABLES -A vpn_forwarding_traffic -i $IINTERNET -d $VPN_SUBNET -o $IVPN  -j ACCEPT
echo "Applied VPN Forwarding Policy"

echo "Applying VPN Forwarding Traffic Routing Rules"
$IPTABLES -A FORWARD -i $IVPN -j vpn_forwarding_traffic
$IPTABLES -A FORWARD -o $IVPN -j vpn_forwarding_traffic
echo "Applied VPN Forwarding Traffic Routing Rules"

echo "Applying Listening Rules For New Connections on OpenVPN's Listening Port"
# - Allow VPN Data Through The OpenVPN's Listening Port
$IPTABLES -A INPUT -i $IINTERNET -p udp --dport $VPN_SERVER_PORT -j ACCEPT
$IPTABLES -A OUTPUT -o $IINTERNET -p udp --sport $VPN_SERVER_PORT -j ACCEPT
echo "Applied Listening Rules For New Connections on OpenVPN's Listening Port"


# -  Masquerading For VPN -- don't need this if you tell router to recirect all VPN traffic to the VPN server
echo "Applying Masquerading Rules For VPN"
$IPTABLES -t nat -A POSTROUTING -s $VPN_SUBNET -o $IINTERNET -j MASQUERADE
echo "Applied Masquerading Rules For VPN"

# - Enable SSH Connections
echo "Creating SSH Input Traffic Rules For Incoming SSH Connections"
$IPTABLES -N ssh_input_traffic
# -- allow incoming connections only from the same subnet as the VPN Server is hosted in
$IPTABLES -A ssh_input_traffic -i $IINTERNET -p tcp -d $IPADDR -s $LAN_SUBNET  --sport $SSH_PORTS --dport 22 -j ACCEPT 
echo "Created SSH Input Traffic Rules For Incoming SSH Connections"

echo "Creating SSH Input Chain"
$IPTABLES -A INPUT -p tcp --sport 22 -j ssh_input_traffic
$IPTABLES -A INPUT -p tcp --dport 22 -j ssh_input_traffic
echo "Created SSH Input Chain"

echo "SSH Input Settings Complete"



echo "Creating SSH Output Trafic Rules For Incoming SSH Connections"
$IPTABLES -N ssh_output_traffic
# -- allow outgoing ssh data only to the same subnet as the VPN Server is hosted in
$IPTABLES -A ssh_output_traffic -o $IINTERNET -p tcp ! --syn -s $IPADDR -d $LAN_SUBNET --sport 22 --dport $SSH_PORTS -j ACCEPT
echo "Created SSH Output Traffic Rules For Incoming SSH Connections"

echo "Creating SSH Output Chain"
$IPTABLES -A OUTPUT -p tcp --sport 22 -j ssh_output_traffic
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ssh_output_traffic
echo "Created SSH Output Chain"