LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   iptables rules for using OpenVPN with Tor (https://www.linuxquestions.org/questions/linux-server-73/iptables-rules-for-using-openvpn-with-tor-4175732867/)

Jason.nix 01-17-2024 09:02 AM
iptables rules for using OpenVPN with Tor
 
Hello,
To set up a normal OpenVPN server, I use the following iptables rules:
Code:
# IF_MAIN=enp0s3
# IF_TUNNEL=tun0
# YOUR_OPENVPN_SUBNET=10.8.0.0/16
# iptables -I INPUT -p udp --dport 1194 -j ACCEPT
# iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT
# iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE
I want to tunnel OpenVPN on Tor and I found the following iptables rules:
Code:
# export OVPN=tun0
# IPTABLES -A INPUT -i $OVPN -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
# IPTABLES -t nat -A PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:53530
# IPTABLES -t nat -A PREROUTING -i $OVPN -p tcp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040
# IPTABLES -t nat -A PREROUTING -i $OVPN -p udp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040
Are the iptables rules above enough or do I still need the iptables rules I use to set up a normal OpenVPN server?

Thank you.

michaelk 01-18-2024 12:34 PM
No expert but I think you can configure OpenVPN to use TOR as a socks proxy.
Tor configuration add/modify

SOCKSPort XXXX PreferSOCKSNoAuth (where XXXX is the desired port number)

Add to the open client configuration
socks-proxy localhost XXXX (Where XXXX is the port used above)

Jason.nix 01-18-2024 02:26 PM
Quote:
Originally Posted by michaelk (Post 6477704)
No expert but I think you can configure OpenVPN to use TOR as a socks proxy.
Tor configuration add/modify

SOCKSPort XXXX PreferSOCKSNoAuth (where XXXX is the desired port number)

Add to the open client configuration
socks-proxy localhost XXXX (Where XXXX is the port used above)
Hello,
Thank you so much for your reply.
I just want to know are the second iptables rules enough or not?

michaelk 01-18-2024 03:11 PM
I am not an expert...

I don't think there would be any changes to the rules. Tor would only be running on the client not the server. The OpenVPN traffic at the server should be no different with or without TOR. When it leaves at the exit relay traffic should just be the "normal" tunnel.

Once Tor is "on" on the client OpenVPN traffic should automatically be routed through the socks proxy on the client and travel through until it hits the exit relay. Once it exits it again should be just the OpenVPN tunnel.

Jason.nix 01-19-2024 06:54 AM
Quote:
Originally Posted by michaelk (Post 6477732)
I am not an expert...

I don't think there would be any changes to the rules. Tor would only be running on the client not the server. The OpenVPN traffic at the server should be no different with or without TOR. When it leaves at the exit relay traffic should just be the "normal" tunnel.

Once Tor is "on" on the client OpenVPN traffic should automatically be routed through the socks proxy on the client and travel through until it hits the exit relay. Once it exits it again should be just the OpenVPN tunnel.
Hello,
Thanks again.
So are both rules needed?

michaelk 01-19-2024 07:07 AM
Which rules are you asking about?

Jason.nix 01-20-2024 01:47 AM
Quote:
Originally Posted by michaelk (Post 6477861)
Which rules are you asking about?
Hello,
Are the following rules enough?
Code:
# export OVPN=tun0
# iptables -I INPUT -p udp --dport 1194 -j ACCEPT
# IPTABLES -A INPUT -i $OVPN -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
# IPTABLES -t nat -A PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:53530
# IPTABLES -t nat -A PREROUTING -i $OVPN -p tcp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040
# IPTABLES -t nat -A PREROUTING -i $OVPN -p udp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040

michaelk 01-20-2024 03:39 AM
On the vpn server side I don't think you need to change any rules at all.

On the client side configure the VPN to use the tor proxy as posted above. No special iptables rules are necessary.

As I understand how it works. Unless you have a tor server also running on the vpn server.

Jason.nix 01-20-2024 02:30 PM
Quote:
Originally Posted by michaelk (Post 6478069)
On the vpn server side I don't think you need to change any rules at all.

On the client side configure the VPN to use the tor proxy as posted above. No special iptables rules are necessary.

As I understand how it works. Unless you have a tor server also running on the vpn server.
Hello,
Thanks again.
Yes, the Tor is running on the OpenVPN server.


All times are GMT -5. The time now is 12:00 PM.