[Openvpn-users] firewalling TUN iface - how?

[lejeczek via Openvpn-users]

Hi guys.

Not being an expert I expected that, on a Linux box, I can 
firewall 'tun0' of ovpn server.
Using 'firewalld' it put 'tun0' into a dedicated zone and 
selected a few ports for access but it turns out that 
clients see all ports as accessible.


Is that default & expected behaviour? If yes then how to 
change it, how to firewall OVPN's server tun ifaces?

many thanks, L.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] firewalling TUN iface - how?

[Gert Doering]

Hi,

On Sun, May 02, 2021 at 03:02:37PM +0100, lejeczek via Openvpn-users wrote:
> Not being an expert I expected that, on a Linux box, I can 
> firewall 'tun0' of ovpn server.
> Using 'firewalld' it put 'tun0' into a dedicated zone and 
> selected a few ports for access but it turns out that 
> clients see all ports as accessible.
> 
> Is that default & expected behaviour? If yes then how to 
> change it, how to firewall OVPN's server tun ifaces?
> many thanks, L.

I have no idea what firewalld is, but generally speaking, for the
OS kernel, "tun0" is "just a normal input/output interface".  So you
can apply iptables, pf, ... rules on it.

Now, for "client A talks to client B", there's a catch - if you put
"client-to-client" into the openvpn server config, OpenVPN will forward
the packets directly, bypassing tun0 firewalls.  Without client-to-client,
packets go to tun0, get firewalled, come back (or not).

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Adding RSA-PSS support in pkcs11-helper

[Selva Nair]

Hi,

Currently RSA-PSS signatures are handled in pkcs11-helper by asking the
token to do raw RSA signature of data already padded by OpenSSL. Many new
hardware tokens refuse to support this mode and require the padding to be
done in hardware.

For a recent user report see this thread:
https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05732.html

Probably there are some related tickets on Trac too.

In OpenVPN, we have a couple of options to fix this:

(i) Use a different library like libp11 (for OpenSSL only).
(ii) Extend pkcs11-helper
(iii) Roll something new on our own :)

After some thought, I have decided that extending pkcs11-helper may be the
least painful approach --- not including the mental distress in getting
code reviews and changes accepted. The "helper" has several features that
we depend on and not readily available in alternatives.

If anyone is interested in testing this, see
https://github.com/selvanair/pkcs11-helper/releases/tag/pss-support

Though I've opened a PR at https://github.com/OpenSC/pkcs11-helper/pull/31
, it's only an RFC and would likely require some iterations.

Comments, suggestions for improvement, and test reports, are most welcome.

Thanks,

Selva
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] firewalling TUN iface - how?

[Kenneth Porter]

--On Sunday, May 02, 2021 8:17 PM +0200 Gert Doering  
wrote:



I have no idea what firewalld is, but generally speaking, for the
OS kernel, "tun0" is "just a normal input/output interface".  So you
can apply iptables, pf, ... rules on it.


firewalld is a wrapper around iptables or nft that defines zones and 
services and maps them onto low-level firewall commands. It's useful to use 
the iptables command to inspect the resulting low-level tables to see if 
they're doing what you expect. firewalld is designed to allow dynamic 
changing of rules through a D-Bus interface to a daemon.







___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users