{"id":238,"date":"2016-06-12T15:07:54","date_gmt":"2016-06-12T19:07:54","guid":{"rendered":"https:\/\/www.grumpyland.com\/blog\/?p=238"},"modified":"2016-06-12T15:13:30","modified_gmt":"2016-06-12T19:13:30","slug":"making-csf-work-with-openvpn","status":"publish","type":"post","link":"https:\/\/www.grumpyland.com\/blog\/238\/making-csf-work-with-openvpn\/","title":{"rendered":"Making CSF work with OpenVPN"},"content":{"rendered":"<p>This guide will assume you have both Config Server Firewall (CSF) and OpenVPN already installed and working individually.<\/p>\n<p>To make CSF work with OpenVPN, you&#8217;ll need to create extra iptable rules. We do that by adding them to csfpre.sh.<\/p>\n<pre lang=\"sh\" line=\"1\" escaped=\"true\">nano \/etc\/csf\/csfpre.sh<\/pre>\n<p>If the file does not exist, you can create it. If it already exists, you should append to it.<\/p>\n<pre lang=\"sh\" line=\"1\" escaped=\"true\">iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\r\niptables -A FORWARD -s 10.8.0.0\/24 -j ACCEPT\r\niptables -A FORWARD -j REJECT\r\niptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\r\niptables -t nat -A POSTROUTING -j SNAT --to-source\u00a0123.45.67.89<\/pre>\n<ul>\n<li>You may need to replace\u00a010.8.0.0\/24 with the designated server IP you assigned for your openvpn. Typically that you set in \/etc\/openvpn\/server.conf in CentOS\/RHEL.\u00a010.8.0.0\/24 is the default.<\/li>\n<li>If \u00a0your network interface is different, you may also need to replace eth0 with another. Run ifconfig to check.<\/li>\n<li>Lastly for this file, you will need to change\u00a0123.45.67.89 to your own server&#8217;s public IP.<\/li>\n<\/ul>\n<p>Next, open the ports for OpenVPN. Here is an excerpt from OpenVPN for that from the official\u00a0<a href=\"https:\/\/docs.openvpn.net\/frequently-asked-questions\/\">FAQ page<\/a>.<\/p>\n<blockquote><p>Short answer:\u00a0TCP 443, TCP 943, UDP 1194<\/p>\n<p>Long answer: By default OpenVPN Access Server has 2 OpenVPN daemons running. One of them on UDP port 1194 and another on TCP 443. We recommend that you use the UDP port because this functions better for an OpenVPN tunnel. However, many public locations block all sorts of ports except very common ones like http, https, ftp, pop3, and so on. Therefore we also have TCP 443 as an option. TCP port 443 is the default port for https:\/\/ (SSL) traffic and so this is usually allowed through at the user&#8217;s location.<\/p>\n<p>TCP port 943 is the port where the web server interface is listening by default. You can either approach this directly using a URL like https:\/\/yourserverhostnamehere:943\/ or by approaching it through the standard https:\/\/ port TCP 443, since the OpenVPN daemon will automatically internally route browser traffic to TCP 943 by default. (https:\/\/yourserverhostnamehere\/).<\/p><\/blockquote>\n<pre lang=\"sh\" line=\"1\" escaped=\"true\">nano \/etc\/csf\/csf.conf<\/pre>\n<p>And add the above ports to the lines:<\/p>\n<pre lang=\"sh\" line=\"1\" escaped=\"true\">TCP_IN, TCP_OUT, UDP_IN, and UDP_OUT<\/pre>\n<p>Save, and restart CSF and you&#8217;re done!<\/p>\n<pre lang=\"sh\" line=\"1\" escaped=\"true\">csf -r<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>This guide will assume you have both Config Server Firewall (CSF) and OpenVPN already installed and working individually. To make CSF work with OpenVPN, you&#8217;ll need to create extra iptable rules. We do that by adding them to csfpre.sh. nano \/etc\/csf\/csfpre.sh If the file does not exist, you can create it. If it already exists, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_vp_format_video_url":"","_vp_image_focal_point":[],"footnotes":""},"categories":[15],"tags":[44,43],"class_list":["post-238","post","type-post","status-publish","format-standard","hentry","category-tutorial","tag-csf","tag-openvpn"],"_links":{"self":[{"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/posts\/238","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/comments?post=238"}],"version-history":[{"count":9,"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/posts\/238\/revisions"}],"predecessor-version":[{"id":248,"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/posts\/238\/revisions\/248"}],"wp:attachment":[{"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/media?parent=238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/categories?post=238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/tags?post=238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}