UFW and OpenVPN

I used the excellent script here to setup OpenVPN on a server I'm running recently. I've set it up a hundred times before manually, and frankly its a bit of a slog, so its nice to find a tool that can do it for you and cut out the drudgery. And it nearly did, except on this particular server it didn't work. Clients could connect, but couldn't use the internet through the VPN.

After scratching my head for a while, I narrowed it down to the IPv4 forwarding. The script puts this line into iptables
"iptables -t nat -A POSTROUTING -s 10.8.0.0/d" and adds it to /etc/rc.local
But it wasn't appearing in the rules. Turns out this was because it had ufw installed, which is a simplified firewall interface which sits on top of iptables. The newly added rules were just being overwritten by ufw.

OK so how to fix it? After trying to follow the logic of iptables chains through ufw, I turned to the Interwebs. Which is probably where I should have started. OK, so step by step …

  1. First open the port for openvpn to operate on (I'd managed this step by myself)
    > ufw allow 1194
  2. Now turn on forwarding, which is disabled by default. In /etc/default/ufw
    DEFAULT_FORWARD_POLICY="ACCEPT"
  3. Now we have to edit /etc/ufw/before.rules and add a few lines at the top of the file, just before the warning not to "delete these lines"
    ## OpenVPN rules
    *nat
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -s 10.8.10.0/24 -o eth0 -j MASQUERADE
    COMMIT
    ## End OpenVPN ##

This last bit didn't seem quite right. I thought the COMMIT line shouldn't be there, as that should be at the end of the file, but nope. It needs to be right there at the top of the file. Of course, change the subnet 10.8.10.0/24 to the one in your particular config. Now just
service ufw restart
… and away you go.

Leave a Comment