Making CSF work with OpenVPN 4

This guide will assume you have both Config Server Firewall (CSF) and OpenVPN already installed and working individually.

To make CSF work with OpenVPN, you’ll need to create extra iptable rules. We do that by adding them to csfpre.sh.

1
nano /etc/csf/csfpre.sh

If the file does not exist, you can create it. If it already exists, you should append to it.

1
2
3
4
5
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.45.67.89
  • You may need to replace 10.8.0.0/24 with the designated server IP you assigned for your openvpn. Typically that you set in /etc/openvpn/server.conf in CentOS/RHEL. 10.8.0.0/24 is the default.
  • If  your network interface is different, you may also need to replace eth0 with another. Run ifconfig to check.
  • Lastly for this file, you will need to change 123.45.67.89 to your own server’s public IP.

Next, open the ports for OpenVPN. Here is an excerpt from OpenVPN for that from the official FAQ page.

Short answer: TCP 443, TCP 943, UDP 1194

Long answer: By default OpenVPN Access Server has 2 OpenVPN daemons running. One of them on UDP port 1194 and another on TCP 443. We recommend that you use the UDP port because this functions better for an OpenVPN tunnel. However, many public locations block all sorts of ports except very common ones like http, https, ftp, pop3, and so on. Therefore we also have TCP 443 as an option. TCP port 443 is the default port for https:// (SSL) traffic and so this is usually allowed through at the user’s location.

TCP port 943 is the port where the web server interface is listening by default. You can either approach this directly using a URL like https://yourserverhostnamehere:943/ or by approaching it through the standard https:// port TCP 443, since the OpenVPN daemon will automatically internally route browser traffic to TCP 943 by default. (https://yourserverhostnamehere/).

1
nano /etc/csf/csf.conf

And add the above ports to the lines:

1
TCP_IN, TCP_OUT, UDP_IN, and UDP_OUT

Save, and restart CSF and you’re done!

1
csf -r

4 thoughts on “Making CSF work with OpenVPN

  1. Reply shunkica Jan 10,2019 6:21 pm

    These rules in csfpre.sh will break many services on WHM/cPanel servers, mail servers, etc.
    Use this instead, replace tun0, eth0 and 10.8.0.0 with values specific to your server if they are different.

    iptables -A INPUT -i tun0 -j ACCEPT
    iptables -A OUTPUT -o tun0 -j ACCEPT
    iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
    iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

  2. Reply Aitor Sep 5,2019 5:08 am

    It worked for me, thank you.

  3. Reply Chris Nov 8,2020 7:19 am

    Thanks, worked for me too!!

  4. Reply nader Jul 11,2021 3:32 am

    thank’s pls share a new post with shadowsocks

Leave a Reply to Chris Cancel Reply