Openvpn issue
June 11, 2008 12:53 PM   Subscribe

OpenVPN and open ports question.

I'm running Ubuntu 8.04. I have a subscription to vpntunnel.co.uk and I use openvpn to connect - I used these instructions .

I can connect and use it with no problems.

However, when I am connected, my local ports (in particular SSH, samba etc, 80 etc) are then opened up to the world - and available on the VPN IP address - ie the one thats assigned to me when I connect.

I have only really confirmed this by doing a shields up test at grc.com, but I've noticed some strange activity in the samba logs, and what looks like various random (but valid) IP addresses trying to connect to my shares. Nothing and nobody as far as I can tell have actually accessed the box.

If i disconnect the VPN, I'm showing all ports stealthed on my usual ISP assigned IP address. I'm using a local firewall on the PC and my router denies all inbound traffic, I have no open ports on the router.

This sounds more like an OpenVPN issue but I dont know how to prevent those ports from being opened to the outside world. Can anyone help?
posted by daveyt to Computers & Internet (2 answers total)
 
You should be able to configure those services (SSH, Samba, HTTP) to listen only on a particular interface. If you tell them, for example, to listen on your internal IP (for example, 192.168.1.2), they won't bind to the VPN interface when it comes online. By default these services are probably configured to listen on 0.0.0.0 or * or some kind of wildcard that will match all interfaces.
posted by knave at 1:10 PM on June 11, 2008


What knave said about binding the applications to particular interfaces.

If you can't convince your apps to do that (the ones you've listed can do that with minor config changes), you can also turn on your firewall on the tun0 interface used by OpenVPN using something like:
iptables -A INPUT -p ALL -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p ALL -i tun0 -j DROP
That should block incoming packets on the tun0 interface, unless those packets are part of an established connection.
posted by chengjih at 7:42 PM on June 11, 2008


« Older Going handeld! Need advice...   |   Talk to me, baby Newer »
This thread is closed to new comments.