Firewall rules, Mail In A Box and OpenVPN


#1

Situation

Part of the situation that I’m running on my MIAB machine is that part of the time I use it as a traffic concentrator when I’m traveling. Aka OpenVPN I want my data to cross back into a country I trust a bit more when I’m abroad. The reason I’m even running MIAB is that theres tonnes of time when this machine isn’t really being used where I might as well be using it for something else. Turns out MIAB is a super great solution. Especially since I don’t really care for the situation where I have to trust cloud providers too much. ( I realise trusting a VPS provider is also technically in the same boat ).

The problem

Thing is, I use this OpenVPN for way more then just web browsing and a lot of things like browser extensions that rely on things like Sync functions die because I don’t want to sit here and argue with firewall rules. Would it be possible to set priorities in UFW or something where the ports that Fail2Ban will be able to apply special limitations etc… but basically allow all other traffic? I know that it was recommended to me in another thread to just run ufw default allow outgoing. Which solves part of the problem but not the whole problem.

The thing is, I’ve got a firewall installed inside of my machines so that I know what traffic is going through my network cards locally. So I could effectively just write down all of the individual ports on a piece of paper and do UFW allow for every service ever but this is going to require about 700 UFW rules. example

I don’t want to do that at the very least not manually.

The simplest solution that I can think of

The easiest solution that I can imagine is to just do something like ufw default allow incoming then just hope that MIAB will just restrict access when needed.

The ruleset that came with MIAB

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
53                         ALLOW       Anywhere
25/tcp                     ALLOW       Anywhere
587                        ALLOW       Anywhere
993                        ALLOW       Anywhere
995                        ALLOW       Anywhere
4190/tcp                   ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
53 (v6)                    ALLOW       Anywhere (v6)
25/tcp (v6)                ALLOW       Anywhere (v6)
587 (v6)                   ALLOW       Anywhere (v6)
993 (v6)                   ALLOW       Anywhere (v6)
995 (v6)                   ALLOW       Anywhere (v6)
4190/tcp (v6)              ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)

#2

Correct me if I am wrong.

You want to use MIAB + OpenVPN to have your internet traffic (web browsing or otherwise) go through your MIAB server, right?


#3

That’s what I’m looking for yeah basically. The problem basically in abstract is the fact that the various ports that everything needs gets exhausting.


#4

Leave ufw alone on the MIAB server, do the following:

  1. Use the following to install openVPN: https://github.com/Nyr/openvpn-install (Take not of ports, usernames, and passwords as they ARE SEPARATE FROM MIAB. (Once OpenVPN is installed, forget about MIAB for a minute.)(Configure the server to be a “Gateway”)

  2. Run ufw allow 1194 (Or whatever port you decided to use during OpenVPN installation)

  3. Add users as needed using the script above.

  4. Once the port is open on MIAB open it on your modem as well pointing to MIAB server. (If you are on a VPS ignore this step)

  5. Test account login using openvpn for your phone, another computer, etc from OUTSIDE the network the MIAB server is on.

You should be able to login. Once logged in, and connected, openvpn will route all traffic while on the VPN through the MIAB server. Since ufw defaults to allow ALL OUTBOUND CONNECTIONS NOTHING ELSE IS NEEDED. There is no reason to complicate all this just to route your traffic.

Confirm the routing works by visiting icanhazip.com in your browser. It should have the same IP address as your MIAB server. (Externally anyway)


#5

So the issue isn’t getting OpenVPN to reroute the traffic. That’s working perfectly and so long as ufw is disabled all of my programs work on my local machine. The problem exists in the fact that I have a lot of programs locally that fail to work like for example DiscordApp begins to spin its wheels and timing out when ufw is enabled on the VPN/MIAB.

Unfortunately, I’ve been using https://github.com/Angristan/OpenVPN-install.git and not nyr’s because I’ve run into compatibility issues with Nyr’s configuration.


#6

Either Nyrs or Angristan’s is fine.

And what do you mean it spins? Can you open debug on it? (CTRL+SHIFT+I)


#7

Sorry by “spins its wheels” I’m implying like the loading circle thing on a web browser when a page is loading. But in this case its in regards to Discord itself among other things. It seems that opening outgoing allow on the UFW firewall doesn’t necessarily allow all communications.

So imagine an application like Skype ( I have no idea what ports it requires I think it requires a range ) is trying to connect to its servers. It may use port 443 (https) but it ends up also needing ports 64000 through 65000 both inbound and outbound. I know that UFW can do port ranges but I think that the easiest solution would be to just allow incoming and outgoing and then let fail2ban block connections as it is behaving like a blacklist.


#8

At this point I cannot recommend you do that. It’s a huge security risk. I’d do some research on the applications you plan on using and open ports to the VPN network as needed.


#9

Well, realistically all that I need to do is protect the email services. Everything else is pretty well locked down.


#10

Run a network analyzer locally and go through your daily workflow. When something breaks take note of the ports & modify ufw. It shouldn’t take that long until you’ve accounted for everything.


#11

Already running LittleSnitch on my local machines I think UFW would need to handle about 300 rules at least. If there was some kind of way to automate this I’d be over the moon.


#12

Here’s the full guide on it and all the VPN related stuff https://www.bestvpnrating.com/.