iptables rules for using OpenVPN with Tor

Jason.nix · 01-17-2024, 09:02 AM

Hello,
To set up a normal OpenVPN server, I use the following iptables rules:

Code:

# IF_MAIN=enp0s3
# IF_TUNNEL=tun0
# YOUR_OPENVPN_SUBNET=10.8.0.0/16
# iptables -I INPUT -p udp --dport 1194 -j ACCEPT
# iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT
# iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE

I want to tunnel OpenVPN on Tor and I found the following iptables rules:

Code:

# export OVPN=tun0
# IPTABLES -A INPUT -i $OVPN -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
# IPTABLES -t nat -A PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:53530
# IPTABLES -t nat -A PREROUTING -i $OVPN -p tcp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040
# IPTABLES -t nat -A PREROUTING -i $OVPN -p udp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040

Are the iptables rules above enough or do I still need the iptables rules I use to set up a normal OpenVPN server?

Thank you.

michaelk · 01-18-2024, 12:34 PM

No expert but I think you can configure OpenVPN to use TOR as a socks proxy.
Tor configuration add/modify

SOCKSPort XXXX PreferSOCKSNoAuth (where XXXX is the desired port number)

Add to the open client configuration
socks-proxy localhost XXXX (Where XXXX is the port used above)

Jason.nix · 01-18-2024, 02:26 PM

Quote:

Originally Posted by michaelk

No expert but I think you can configure OpenVPN to use TOR as a socks proxy.
Tor configuration add/modify

SOCKSPort XXXX PreferSOCKSNoAuth (where XXXX is the desired port number)

Add to the open client configuration
socks-proxy localhost XXXX (Where XXXX is the port used above)

Hello,
Thank you so much for your reply.
I just want to know are the second iptables rules enough or not?

michaelk · 01-18-2024, 03:11 PM

I am not an expert...

I don't think there would be any changes to the rules. Tor would only be running on the client not the server. The OpenVPN traffic at the server should be no different with or without TOR. When it leaves at the exit relay traffic should just be the "normal" tunnel.

Once Tor is "on" on the client OpenVPN traffic should automatically be routed through the socks proxy on the client and travel through until it hits the exit relay. Once it exits it again should be just the OpenVPN tunnel.

Jason.nix · 01-19-2024, 06:54 AM

Quote:

Originally Posted by michaelk

I am not an expert...

I don't think there would be any changes to the rules. Tor would only be running on the client not the server. The OpenVPN traffic at the server should be no different with or without TOR. When it leaves at the exit relay traffic should just be the "normal" tunnel.

Once Tor is "on" on the client OpenVPN traffic should automatically be routed through the socks proxy on the client and travel through until it hits the exit relay. Once it exits it again should be just the OpenVPN tunnel.

Hello,
Thanks again.
So are both rules needed?

michaelk · 01-19-2024, 07:07 AM

Which rules are you asking about?

Jason.nix · 01-20-2024, 01:47 AM

Quote:

Originally Posted by michaelk

Which rules are you asking about?

Hello,
Are the following rules enough?

Code:

# export OVPN=tun0
# iptables -I INPUT -p udp --dport 1194 -j ACCEPT
# IPTABLES -A INPUT -i $OVPN -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
# IPTABLES -t nat -A PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:53530
# IPTABLES -t nat -A PREROUTING -i $OVPN -p tcp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040
# IPTABLES -t nat -A PREROUTING -i $OVPN -p udp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040

michaelk · 01-20-2024, 03:39 AM

On the vpn server side I don't think you need to change any rules at all.

On the client side configure the VPN to use the tor proxy as posted above. No special iptables rules are necessary.

As I understand how it works. Unless you have a tor server also running on the vpn server.

Jason.nix · 01-20-2024, 02:30 PM

Quote:

Originally Posted by michaelk

On the vpn server side I don't think you need to change any rules at all.

On the client side configure the VPN to use the tor proxy as posted above. No special iptables rules are necessary.

As I understand how it works. Unless you have a tor server also running on the vpn server.

Hello,
Thanks again.
Yes, the Tor is running on the OpenVPN server.