OpenVPN and Firestarter

So, I use Firestarter to manage the firewall at home. It has it’s issues, of course (not all events show up in the little event viewer, for example), and I’m a little wary of using a graphical tool to manage iptables. That said, I’ve so little time at home, I don’t really care to spend it wrestling with the firewall on my Linux box.

This is also why people buy those toys from Linksys, they require little to no effort to use. Of course, their wireless offerings should ship secure by default, with a little plastic window on the bottom of the thing containing a card with the SSID and WEP keys on it—and a stack of pre-labeled cards to write future SSID and WEP keys on.

Aaaaanyways, having setup OpenVPN at work (ethernet bridge over TCP) I needed to punch through the firewall on my box so it was worth a damn. Unfortunately adding the VPN network to the “Hosts allows to connect” list doesn’t work, since it still blocks the output. To fix this, you need to disable the firewall on your tap (or tun, if you’re using OpenVPN in a routed configuration) interface by adding the VPN network to your “allowed hosts” bit, and then adding the following lines to /etc/firestarter/user-pre:

$IPT -A INPUT -i tap+ -j ACCEPT
$IPT -A OUTPUT -o tap+ -j ACCEPT

What that means is: “let anything coming in (INPUT/-i) or going out (OUTPUT/-o) on any tap interface through.” Getting the connection to use the incoming/outgoing policies is the ideal case, but I didn’t really research into how to make it work beyond a little experimentation.

3 thoughts on “OpenVPN and Firestarter

  1. Firestarter should support OpenVPN on it’s next release.

    http://www.fs-security.com/docs/vpn.php

    That has the information on allowing VPNs for openvpn and other vpn stuff.

    For my lappy and network connection I use openvpn, network-manager, firestarter, and ipcop.

    Ipcop on my router at home.. It’s just a old Dell stuffed full of old 3com nic cards. On that I have installed the Zarina OpenVPN add-on for Ipcop.

    http://home.arcor.de/u.altinkaynak/openvpn.html

    If you set that up then you go through their howto and you end up with a *.opvn file and a *.p12 file. That’s a openvpn configuration file and a the pk12 file is a PKCS12 encrypted file designed to allow for safe delivery of certificates.

    OpenVPN supports those in Linux, but unfortunately I couldn’t get it to work with Network-manager’s openvpn support. You copy those files to /etc/openvpn (in Debian Sid and probably Ubuntu) rename *.opvn to *.conf, restart openvpn with “/etc/init.d/openvpn restart” and are prompted for the password for the file. You give it and it connects.

    So all of that with network-manager allows me consistant and transparent to my desktop at home irregardless of what network I happen to be connected to at the time.

    Pretty neat stuff, I figure.

  2. You probably want to add the following if you use VMware:

    $IPT -A INPUT -i vmnet+ -j ACCEPT
    $IPT -A OUTPUT -o vmnet+ -j ACCEPT

    Cheers,
    Jason.

  3. I’ve just setup OpenVPN for my internal use only.
    I install OpenVPN on Ubuntu 10.04 server and so far so good.
    Haven’t tried firestarter myself.
    But definitely try it. Thanks.

Comments are closed.