2

Reading this article on how to configure OpenVPN, I see the following paragraph:

Raspbian has a firewall to protect your Raspberry Pi from unknown and unexpected Internet sources. We still want the firewall to protect us from most incoming and outgoing network traffic, but we need to poke an OpenVPN-shaped hole in the firewall.

The article then suggests using this iptables rule to solve this problem:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.XX.X

with 10.8.0.0 being the default address of the VPN for the clients connected to the VPN, and 192.168.XX.X being the IP address of the OpenVPN server on the local network.

I might be completely misunderstanding this, but I thought this rule meant "for each packet with source IP address 10.8.0.0, change the source IP address to 192.168.XX.X before routing it out the eth0 interface".

If this is correct, how would this "poke an OpenVPN-shaped hole in the firewall"?

Improve this question

2 Answers 2

Reset to default
2

What the rule does is simply enable SNAT for traffice originating from an openvpn client, so that openvpn clients can use the internet connection you this system. I.e. outgoing traffic from openvpn clients are allowed through, so you could consider this a hole in the firewall. I think the author was trying to write in a humorous style, which doesn't always work...

Note that -s 10.8.0.0/24 doesn't mean "source IP address 10.8.0.0", it means "source IP address in the 10.8.0.0/24 network", i.e. 10.8.0.*.

Improve this answer
5
  • 1
    POSTROUTING doesn't allow any traffic. It affects allowed traffic only. And SNAT is (probably) not only required for Internet access but for accessing any other host on the LAN. Commented Feb 2, 2015 at 14:18
  • That's what I thought. Consequently, even 10.8.0.0 is not the IP address of the VPN server, as the article states, but the VPN network ID, correct? I think that part of the article is quite confusing tbh. Commented Feb 2, 2015 at 14:21
  • I'd say 10.8.0.0/24 is "the network", leave out the "ID" part. 10.8.0.0 could be the IP address of the VPN server on the VPN side, although I doubt it as .0 is usually avoided. Commented Feb 2, 2015 at 14:45
  • 1
    10.8.0.0 cannot be a host address in a /24 network because .0 is the network address. Commented Feb 2, 2015 at 15:44
  • @wurtel actually, the correct term is indeed "network ID" :P Commented Feb 2, 2015 at 16:13
1

You are right: This is about routing, it has nothing to do with security.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.