firewalld vs. a VPN

Issues related to configuring your network
Post Reply
taylorkh
Posts: 534
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

firewalld vs. a VPN

Post by taylorkh » 2017/10/11 15:58:27

I am running a CentOS 7.4 box as a "gateway" between my DSL modem and my LAN. The modem is set to bridge mode so the Internet IP address is assigned to the PC. The second NIC is "Shared to other computers." So far, so good. I have the incoming connection in the block zone in firewalld. If I do a scan from ShieldsUP at Gibson Research https://www.grc.com/x/ne.dll?bh0bkyd2 I see that all of the first 1000 ports are stealthed as I would like.

The reason I am using this CentOS box instead of a router is that I generally connect via a VPN (ProtonVPN or Usenetserver VPN). I invoke the VPN at the command line on the CentOS box with openvpn. This allows all of the machines on my LAN to share the VPN connection. Works great.

My question is... Is the VPN connection subject to the rules of the zone in which it lives in firewalld? In other words is the data being decrypted and then thrown against the firewall or does it pass through the firewall and then get decrypted by openvpn?

If I replace the CentOS box with a router, setup firewall rules on the router and then make a VPN connection from a PC connected to the router I observe that the traffic passes through the router unmolested. The router's firewall rules are ignored as expected. But what happens when the VPN connection and firewall are on the same machine? Or can I setup a second firewall on the CentOS box to filter the VPN traffic.

I cannot really test what is happening with the VPN. If I scan "my" connection with ShieldsUP I am really seeing the firewall on the VPN exit server.

TIA,

Ken

taylorkh
Posts: 534
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

Re: firewalld vs. a VPN

Post by taylorkh » 2017/10/16 22:35:04

I guess I have to answer my own question :D I posted my question on the Openvpn forum. I received a link to an excellent diagram showing how Openvpn data flows. The traffic makes two passed through the firewall twice. Once encrypted on its way from the incoming NIC to the Openvpn program. After being decrypted it passes through the firewall again on its way to the program which requested it or down the outgoing NIC on its way to the PC/program which requested it. If you are interested in reading more, here is a link https://forums.openvpn.net/viewtopic.php?f=1&t=25019 to the Openvpn forum.

Ken

This thread may be marked solved.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewalld vs. a VPN

Post by jlehtone » 2017/10/17 08:19:02

VPN is not the only "tunnel", where you can see this/similar.

For example, ssh tunnel:

Code: Select all

ssh -L 8080:foo:80 bar
1. The host bar has sshd-process that listens to ssh-port for ssh-protocol packets.
The host bar's firewall decides whether it allows ssh-traffic between you and the bar.

2. Miraculously, the sshd-process is also a http-client that occasionally connects to
http-server at host foo.
The host bar's firewall decides whether it allows http-traffic between bar and foo.

3. The two traffics are "entirely" unrelated. The bar does not officially route the
http connection that in reality occurs between you and foo. Netfilter's FORWARD
never knows ...


What you/netfilter can do for vpn and similar tunnels (that have "virtual" tun/tap interfaces)
is to mangle incoming (encrypted) packets with a mark that the unencrypted packets
inherit and then filter marked packets that "pop in" from tun*.

Post Reply