http://ask.metafilter.com/93813/Openvpn-issue/ Comments on Ask MetaFilter post Openvpn issue Wed, 11 Jun 2008 13:10:08 -0800 Wed, 11 Jun 2008 13:10:08 -0800 en-us http://blogs.law.harvard.edu/tech/rss 60 http://ask.metafilter.com/93813/Openvpn-issue OpenVPN and open ports question. <br /><br /> I'm running Ubuntu 8.04. I have a subscription to<a href="http://www.vpntunnel.co.uk"> vpntunnel.co.uk</a> and I use openvpn to connect - I used <a href="http://www.vpntunnel.co.uk/blog/?p=5">these instructions </a>.<br> <br> I can connect and use it with no problems. <br> <br> However, when I am connected, my local ports (in particular SSH, samba etc, 80 etc) are then opened up to the world - and available on the VPN IP address - ie the one thats assigned to me when I connect.<br> <br> I have only really confirmed this by doing a shields up test at grc.com, but I've noticed some strange activity in the samba logs, and what looks like various random (but valid) IP addresses trying to connect to my shares. Nothing and nobody as far as I can tell have actually accessed the box.<br> <br> If i disconnect the VPN, I'm showing all ports stealthed on my usual ISP assigned IP address. I'm using a local firewall on the PC and my router denies all inbound traffic, I have no open ports on the router.<br> <br> This sounds more like an OpenVPN issue but I dont know how to prevent those ports from being opened to the outside world. Can anyone help? post:ask.metafilter.com,2008:site.93813 Wed, 11 Jun 2008 12:53:58 -0800 daveyt openvpn http://ask.metafilter.com/93813/Openvpn-issue#1372184 You should be able to configure those services (SSH, Samba, HTTP) to listen only on a particular interface. If you tell them, for example, to listen on your internal IP (for example, 192.168.1.2), they won't bind to the VPN interface when it comes online. By default these services are probably configured to listen on 0.0.0.0 or * or some kind of wildcard that will match all interfaces. comment:ask.metafilter.com,2008:site.93813-1372184 Wed, 11 Jun 2008 13:10:08 -0800 knave http://ask.metafilter.com/93813/Openvpn-issue#1372678 What knave said about binding the applications to particular interfaces.<br> <br> If you can't convince your apps to do that (the ones you've listed can do that with minor config changes), you can also turn on your firewall on the tun0 interface used by OpenVPN using something like:<br> <br> <blockquote><br> iptables -A INPUT -p ALL -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT<br> iptables -A INPUT -p ALL -i tun0 -j DROP<br> </blockquote><br> <br> That should block incoming packets on the tun0 interface, unless those packets are part of an established connection. comment:ask.metafilter.com,2008:site.93813-1372678 Wed, 11 Jun 2008 19:42:10 -0800 chengjih