Skip to content

Firewall

The script automatically configures the firewall during installation. It detects the available firewall backend and applies the appropriate rules.

Firewall Backends

The script supports three firewall backends, chosen automatically based on what is available on the system:

Backend Used On Priority
firewalld RHEL, Fedora, CentOS 1st (preferred)
nftables Modern Linux distributions 2nd
iptables Legacy systems / fallback 3rd

firewalld

Used primarily on RHEL-based distributions (Fedora, Rocky, Alma, CentOS).

Rules applied:

# Port forwarding
firewall-cmd --permanent --add-port=1194/udp

# Masquerade (NAT)
firewall-cmd --permanent --add-masquerade

# IPv4 forwarding
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.8.0.0/24" masquerade'

# IPv6 forwarding (if enabled)
firewall-cmd --permanent --add-rich-rule='rule family="ipv6" source address="fd42:42:42:42::/112" masquerade'

SELinux

If SELinux is active and a non-standard port is used, the script adds a port rule:

semanage port -a -t openvpn_port_t -p udp 1194

nftables

Rules are stored in /etc/nftables/openvpn.nft and included in the main nftables configuration.

Example rules:

table ip openvpn {
    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        ip saddr 10.8.0.0/24 masquerade
    }
    chain forward {
        type filter hook forward priority filter; policy accept;
        ip saddr 10.8.0.0/24 accept
        ip daddr 10.8.0.0/24 ct state related,established accept
    }
}

With IPv6 support, equivalent ip6 table rules are added.

iptables

For systems without firewalld or nftables, the script uses iptables with helper scripts:

File Description
/etc/iptables/add-openvpn-rules.sh Script to add firewall rules
/etc/iptables/rm-openvpn-rules.sh Script to remove firewall rules
iptables-openvpn.service Systemd service for rule persistence

The systemd service ensures rules are applied at boot and removed on shutdown.

Example rules:

# NAT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# Forwarding
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -d 10.8.0.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Cleanup on Uninstall

All firewall rules are removed during uninstallation:

  • firewalld: Port and masquerade rules removed
  • nftables: /etc/nftables/openvpn.nft deleted, include removed
  • iptables: Scripts and systemd service removed

Manual Adjustments

For server configuration changes like client-to-client communication, LAN access, and split tunneling, see Customization.