Vuurmuur Config with OpenVPN
by
Vuurmuur is one of the greatest iptables managers we have found. It has an intuitive GUI and makes the firewall management on Linux machines a piece of cake.
Today we will learn how to setup Vuurmuur on a server deployment with OpenVPN.
Warning: Please make sure you have some physical route to your server, just in case you do a mistake and lock your server access.
Server Information
Server has a Debian Linux installed and two network interfaces:
eth0 - main interface with public IP 203.203.203.203
tun0 - openvpn tun inteface with vpn IP 10.8.0.10
STEP 1 - Vuurmuur Installation
Installation is pretty straightforward. Just run following commands:
echo 'deb ftp://ftp.vuurmuur.org/debian/ squeeze main' >> /etc/apt/sources.list
apt-get update
apt-get install libvuurmuur vuurmuur vuurmuur-conf
STEP 2 - Vuurmuur Base Configuration
1. Go to the Vuurmuur Config Panel by running
vuurmuur_conf
2. Select Interfaces -> press Insert -> put "eth0" name -> press Enter
3. Enter the interface and provide options:
Press Escape.
4. Repeat step 2 & 3, but provide tun0 interface data and IP.
5. Go to Zones -> press Insert -> put "internet" name -> press Enter -> Set Active -> Press Escape and then press Enter to go inside the Zone.
7. Press Insert to add a Network and set following options:
8. Press F6, then Insert and select eth0 interface.
9. Repeat steps 7 & 8, but give Name: vpn and attach tun0 interface.
10. Go back to Networks window. Select inet network and press Enter.
11. Add IPs of the administrators as Hosts
12. Go to 'Groups', create group "admins" and add members using F6.
STEP 3 - Vuurmuur Rules Configuration
What happens now depends on you. We want following configuration:
- All outbound traffic is enabled.
- All inbound traffic is disabled, but:
- ports 80 and 443 are opened worldwide
- all ports are opened for "admin" group of hosts
- all ports are opened within OpenVPN network
To make so:
1. In vuurmuur_conf go to Rules
2. Press Insert and add rule that will enable all outbound traffic (server -> internet)
3. Add another rule, that will open port 80 and port 443 worldwide
You can change what ports are included in "http" or "https" services in Services menu of vuurmuur_conf
4. Now let's open access to "admin" group
5. And finally, for whole OpenVPN network
When this is done, you can go back to main vuurmuur_conf screen. You will notice that there are still some warnings. This is because Vuurmuur needs to be enabled in order to start working. To do so:
nano /etc/default/vuurmuur
Change VUURMUUR_START=0 to VUURMUUR_START=1
Save and exit (ctrl +x, y, enter)
Now get to vuurmuur_conf again, everything should be green - if not, check details of the issue as shown on screen. If all is fine, do "Apply Changes".
At this moment it is advised to open another console and check if you can connect. If you cannot, vuurmuur has an awesome log that will show you details.
The session on which you were setting up vuurmuur should be still unlocked, even if you locked yourself.
Go to vuurmuur_conf -> logview -> Traffic.log and try to connect again in another console and log will show you all the details about the incoming traffic.
