OpenVPN and Firestarter

Tags: , , , Posted 2006-08-03 22:54 2 Comments

So, I use Firestarter to man­age the fire­wall at home. It has it’s issues, of course (not all events show up in the lit­tle event viewer, for exam­ple), and I’m a lit­tle wary of using a graph­i­cal tool to man­age ipt­a­bles. That said, I’ve so lit­tle time at home, I don’t really care to spend it wrestling with the fire­wall on my Linux box.

This is also why peo­ple buy those toys from Linksys, they require lit­tle to no effort to use. Of course, their wire­less offer­ings should ship secure by default, with a lit­tle plas­tic win­dow on the bot­tom of the thing con­tain­ing a card with the SSID and WEP keys on it — and a stack of pre-labeled cards to write future SSID and WEP keys on.

Aaaaanyways, hav­ing setup OpenVPN at work (eth­er­net bridge over TCP) I needed to punch through the fire­wall on my box so it was worth a damn. Unfortunately adding the VPN net­work to the “Hosts allows to con­nect” list doesn’t work, since it still blocks the out­put. To fix this, you need to dis­able the fire­wall on your tap (or tun, if you’re using OpenVPN in a routed con­fig­u­ra­tion) inter­face by adding the VPN net­work to your “allowed hosts” bit, and then adding the fol­low­ing lines to /etc/firestarter/user-pre:

$IPT -A INPUT -i tap+ -j ACCEPT
$IPT -A OUTPUT -o tap+ -j ACCEPT

What that means is: “let any­thing com­ing in (INPUT/-i) or going out (OUTPUT/-o) on any tap inter­face through.” Getting the con­nec­tion to use the incoming/outgoing poli­cies is the ideal case, but I didn’t really research into how to make it work beyond a lit­tle experimentation.

  • Add to favorites
  • del.icio.us
  • Digg
  • email
  • Fark
  • Google Bookmarks
  • Identi.ca
  • Ping.fm
  • Print
  • Reddit
  • Slashdot
  • StumbleUpon
  • Tumblr
  • Twitter

Links

  • If you link to this post from your blog, a link back to your post will go here.

Comments

  • drag says:
    2006-08-04 at 12:17 am

    Firestarter should sup­port OpenVPN on it’s next release.
    http://​www​.fs​-secu​rity​.com/​d​o​cs/vpn.php

    That has the infor­ma­tion on allow­ing VPNs for open­vpn and other vpn stuff.

    For my lappy and net­work con­nec­tion I use open­vpn, network-manager, firestarter, and ipcop.

    Ipcop on my router at home.. It’s just a old Dell stuffed full of old 3com nic cards. On that I have installed the Zarina OpenVPN add-on for Ipcop.
    http://​home​.arcor​.de/​u​.​a​l​t​i​n​k​a​y​n​a​k​/​o​p​envpn.html

    If you set that up then you go through their howto and you end up with a *.opvn file and a *.p12 file. That’s a open­vpn con­fig­u­ra­tion file and a the pk12 file is a PKCS12 encrypted file designed to allow for safe deliv­ery of certificates.

    OpenVPN sup­ports those in Linux, but unfor­tu­nately I couldn’t get it to work with Network-manager’s open­vpn sup­port. You copy those files to /etc/openvpn (in Debian Sid and prob­a­bly Ubuntu) rename *.opvn to *.conf, restart open­vpn with “/etc/init.d/openvpn restart” and are prompted for the pass­word for the file. You give it and it connects.

    So all of that with network-manager allows me con­sis­tant and trans­par­ent to my desk­top at home irre­gard­less of what net­work I hap­pen to be con­nected to at the time.

    Pretty neat stuff, I figure.

  • Jason says:
    2006-08-04 at 3:39 am

    You prob­a­bly want to add the fol­low­ing if you use VMware:

    $IPT –A INPUT –i vmnet+ –j ACCEPT
    $IPT –A OUTPUT –o vmnet+ –j ACCEPT

    Cheers,
    Jason.

  • If you reply to this post, your reply will go here.

Reply