Opened 4 years ago
Closed 3 years ago
#1312 closed User question (fixed)
Fate of the packet filter ?
Reported by: | tct | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Generic / unclassified | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | packet-filter |
Cc: | tct |
Description (last modified by )
What is to become of the OpenVPN built-in packet filter (PF) ?
Options for the future of the PF:
- Drop it - OpenVPN should not be a firewall.
- Keep it - OpenVPN can be more than a VPN.
If "Drop it" then close this ticket.
If "Keep it" then Why / How ?
Summary of key points:
- The PF is not built-in, it is only available via a plugin.
- The PF is IPv4 only.
- The PF is not widely used.
- Maintaining the PF code is an unwanted developer burden.
The rest is only optional ideas
Why:
- Present the user with a unified VPN/PF interface.
- If OpenVPN is to maintain a packet-filter then it should be in-house.
- Other reasons ..
How:
Requires two new Server side options: eg. --pf-enable
and --pf-allow $CIDR
Rules:
- DEFAULT ALLOW All.
- If
--pf-enable
then DROP all data channel packets. - If
--server-(ipv6)
then ALLOW server(v6) host IP. - If
--server-(ipv6)
&--client-to-client
then ALLOW server(v6) CIDR (See note 5). - If
push "route(-ipv6)"
then ALLOW route(v6) CIDR. - If
--server(-ipv6)
&push "redirect-gateway-(ipv6)
then ALLOW ALL (Disable client PF).
Customisation:
- Requires
--client-config-dir
- Include DEFAULT
--client-config-dir
template. - ALLOW by
--pf-allow CIDR
(See Note 1). - Mutually exclusive to any
--push
redirection (See note 4) - Option:
--pf-enable route-only
, which would DROP server subnet(v6) and only ALLOW pushed routes.
Note 1: If the user wants to over-ride Rules then they can use their real firewall. eg netfilter.
Note 2: IPv6 may also require some built-in rules.
Note 3: --mode server
required (otherwise use your OS PF).
Note 4: If the client redirects their own gateway then the prior server rules will have priority.
Note 5: Having enabled --client-to-client
, this is the one place where an OpenVPN PF has value. Who can see who ?
Change History (8)
comment:1 Changed 4 years ago by
Priority: | major → minor |
---|
comment:2 Changed 4 years ago by
Cc: | tct added |
---|
comment:3 Changed 4 years ago by
Description: | modified (diff) |
---|
comment:4 Changed 4 years ago by
Description: | modified (diff) |
---|
comment:5 Changed 4 years ago by
Description: | modified (diff) |
---|
comment:6 Changed 4 years ago by
Description: | modified (diff) |
---|
also, #636