Opened 12 months ago

Closed 5 months ago

#1312 closed User question (fixed)

Fate of the packet filter ?

Reported by: tct Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: packet-filter
Cc: tct

Description (last modified by tct)

What is to become of the OpenVPN built-in packet filter (PF) ?

Options for the future of the PF:

  • Drop it - OpenVPN should not be a firewall.
  • Keep it - OpenVPN can be more than a VPN.

If "Drop it" then close this ticket.

If "Keep it" then Why / How ?

Summary of key points:

  • The PF is not built-in, it is only available via a plugin.
  • The PF is IPv4 only.
  • The PF is not widely used.
  • Maintaining the PF code is an unwanted developer burden.

The rest is only optional ideas

Why:

  • Present the user with a unified VPN/PF interface.
  • If OpenVPN is to maintain a packet-filter then it should be in-house.
  • Other reasons ..

How:

Requires two new Server side options: eg. --pf-enable and --pf-allow $CIDR

Rules:

  • DEFAULT ALLOW All.
  • If --pf-enable then DROP all data channel packets.
  • If --server-(ipv6) then ALLOW server(v6) host IP.
  • If --server-(ipv6) & --client-to-client then ALLOW server(v6) CIDR (See note 5).
  • If push "route(-ipv6)" then ALLOW route(v6) CIDR.
  • If --server(-ipv6) & push "redirect-gateway-(ipv6) then ALLOW ALL (Disable client PF).

Customisation:

  • Requires --client-config-dir
  • Include DEFAULT --client-config-dir template.
  • ALLOW by --pf-allow CIDR (See Note 1).
  • Mutually exclusive to any --push redirection (See note 4)
  • Option: --pf-enable route-only, which would DROP server subnet(v6) and only ALLOW pushed routes.

Note 1: If the user wants to over-ride Rules then they can use their real firewall. eg netfilter.

Note 2: IPv6 may also require some built-in rules.

Note 3: --mode server required (otherwise use your OS PF).

Note 4: If the client redirects their own gateway then the prior server rules will have priority.

Note 5: Having enabled --client-to-client, this is the one place where an OpenVPN PF has value. Who can see who ?

Change History (8)

comment:1 Changed 12 months ago by tct

Priority: majorminor

comment:2 Changed 12 months ago by tct

Cc: tct added

comment:3 Changed 12 months ago by tct

Description: modified (diff)

comment:4 Changed 12 months ago by tct

Description: modified (diff)

comment:5 Changed 12 months ago by tct

Description: modified (diff)

comment:6 Changed 12 months ago by tct

Description: modified (diff)

comment:7 Changed 10 months ago by Gert Döring

also, #636

comment:8 Changed 5 months ago by tct

Resolution: fixed
Status: newclosed

Superseded by #1379

Note: See TracTickets for help on using tickets.