OpenVPN with CSF firewall rules
We are a big fan of OpenVPN when it comes to security. Many organizations have already switched to OpenVPN from PPTP etc.
NixVPN is my favorite VPN software to host it on a standalone instance. But what if, if you already have a server protected with CSF firewall, and you want to install OpenVPN by yourself. You may face some issues like enabling routing on the iotables level.
If you have already configured your OpenVPN and authentication is working fine, and you still dont have internet access once connected, please try the below.
Enable IP forwarding
On CentOS / RHEL 6,
net.ipv4.ip_forward = 0 to
net.ipv4.ip_forward = 1 in
/etc/sysctl.conf and run the below
On CentOS / RHEL 7,
create a new file
/etc/sysctl.d/openvpn.conf and add the below content to it,
net.ipv4.ip_forward = 1
then restart the service
sysctl -p systemctl restart systemd-sysctl.service
Adding firewall rules to the CSF
Note : If you are not using CSF, you can add the below rules directly to iptables.
vim /etc/csf/csfpost.sh and add the below contents to it.
eth0 with your interfacename
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -o tun0 -j ACCEPT iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
Add +x permission to the file
chmod +x /etc/csf/csfpost.sh
Now disable and enable CSF to apply the rules.
csf -x && csf -e
Now re-connect your OpenVPN client and you will be able to access the internet.
1 thought on “OpenVPN with CSF firewall rules”
Nice one, thanks!