Securing your network is crucial, and when you're using OpenVPN on an OpenWrt router, getting the firewall settings right is paramount. This guide walks you through setting up a robust firewall configuration to protect your OpenVPN server and clients. Let's dive in!

Understanding the Basics

Before we get into the nitty-gritty, let's cover some basics. OpenWrt is a highly customizable Linux distribution for embedded devices, typically used on routers. OpenVPN is a popular VPN solution that creates a secure tunnel for your network traffic. The firewall acts as your network's gatekeeper, controlling which traffic is allowed in and out.

When setting up OpenVPN, you're essentially creating a new network interface. This interface needs its own firewall rules to ensure only authorized traffic passes through. Without proper configuration, your VPN server could be vulnerable to attacks, or your clients might not be able to access the internet securely.

Why is this important? Imagine setting up a fortress but leaving the main gate wide open. That's what happens when you neglect your firewall settings. A misconfigured firewall can expose your entire network to potential threats, defeating the purpose of using a VPN in the first place. Properly configured firewall rules are like having vigilant guards at every entrance, ensuring that only trusted individuals (or data packets) are allowed in.

What are we trying to achieve? Our goal is to create a secure tunnel where only VPN traffic passes through, and regular internet traffic is routed correctly. We also want to prevent unauthorized access to our VPN server and protect our clients from potential threats. Think of it as building a secure, private highway through the internet, ensuring that only authorized vehicles (data packets) can use it, and protecting them from highway bandits (hackers).

Step-by-Step Configuration

Let's get our hands dirty with the configuration. I'll walk you through each step, explaining the purpose of each rule and how it contributes to the overall security of your OpenVPN setup.

1. Accessing the OpenWrt Interface

First things first, log into your OpenWrt router's web interface. Usually, you can do this by typing your router's IP address into your web browser (often 192.168.1.1 or 192.168.0.1). You'll need your username and password to log in. If you haven't changed them, the default credentials are often "root" for the username and either no password or "admin" for the password. Once logged in, you'll see the LuCI interface, which is OpenWrt's web-based configuration tool.

2. Creating a New Firewall Zone

Next, we need to create a new firewall zone specifically for our OpenVPN interface. This zone will contain the rules that govern traffic to and from our VPN.

1. Navigate to Network -> Firewall in the LuCI interface.
2. Click on the Zones tab.
3. Click the Add button to create a new zone.
4. Give your zone a descriptive name, such as "vpnzone".
5. Set the Input, Output, and Forward policies. A common configuration is to set Input to REJECT, Output to ACCEPT, and Forward to REJECT. This means that incoming connections to the VPN interface are blocked by default, outgoing connections are allowed, and forwarding traffic between the VPN and other zones is blocked unless explicitly allowed.
6. Under Covered networks, select the OpenVPN interface (usually tun0 or tap0, depending on your OpenVPN configuration).
7. Under Allow forward to destination zones, select the zone(s) you want your VPN clients to be able to access. Typically, this will include the wan zone to allow clients to access the internet.
8. Masquerading: Make sure masquerading is enabled. Masquerading (also known as NAT - Network Address Translation) hides the internal IP addresses of your VPN clients behind the router's IP address, which is necessary for them to access the internet.
9. MSS clamping: Enable MSS clamping to prevent fragmentation issues. Fragmentation can occur when packets are too large to be transmitted over the network, which can lead to performance problems.
10. Save and apply the changes.

3. Configuring Forwarding Rules

Now, let's configure the forwarding rules to allow traffic to flow between the VPN zone and other zones. We need to create rules to allow VPN clients to access the internet and, optionally, to access other devices on your local network.

1. Navigate to Network -> Firewall in the LuCI interface.
2. Click on the Port Forwards tab.
3. Click the Add button to create a new rule.
4. Create a rule to allow traffic from the VPN zone to the WAN zone. This rule will allow VPN clients to access the internet. Set the following parameters:
   • Name: Give the rule a descriptive name, such as "vpn_to_wan".
   • Protocol: Select "Any".
   • Source zone: Select the VPN zone you created earlier.
   • Destination zone: Select the WAN zone.
   • Action: Accept
5. If you want to allow VPN clients to access other devices on your local network, create another rule to allow traffic from the VPN zone to the LAN zone. Set the following parameters:
   • Name: Give the rule a descriptive name, such as "vpn_to_lan".
   • Protocol: Select "Any".
   • Source zone: Select the VPN zone you created earlier.
   • Destination zone: Select the LAN zone.
   • Action: Accept
6. Save and apply the changes.

4. Setting Up Traffic Rules

Traffic rules are more granular than zone forwarding rules. They allow you to specify more precise conditions for allowing or blocking traffic. For OpenVPN, we can use traffic rules to control access to the OpenVPN server itself.

1. Navigate to Network -> Firewall in the LuCI interface.
2. Click on the Traffic Rules tab.
3. Click the Add button to create a new rule.
4. Create a rule to allow traffic to the OpenVPN server. This rule will allow clients to connect to the VPN server. Set the following parameters:
   • Name: Give the rule a descriptive name, such as "allow_openvpn".
   • Protocol: Select "UDP" or "TCP", depending on your OpenVPN configuration.
   • Source zone: Select "wan".
   • Destination zone: Select "This device (input)".
   • Destination port: Enter the port number used by your OpenVPN server (e.g., 1194).
   • Action: Accept
5. Important: It's highly advisable to limit access to the OpenVPN port to specific IP addresses or networks, enhancing the server's security. Instead of allowing all connections from the WAN zone, specify trusted source IP addresses or networks. This can be achieved by adding a source address limitation in the rule configuration.
6. Save and apply the changes.

5. Preventing DNS Leaks

DNS leaks can expose your actual IP address even when using a VPN. To prevent this, we need to ensure that all DNS traffic from VPN clients is routed through the VPN tunnel.

1. Navigate to Network -> Firewall in the LuCI interface.
2. Click on the Traffic Rules tab.
3. Click the Add button to create a new rule.
4. Create a rule to redirect all DNS traffic from VPN clients to the VPN server. Set the following parameters:
   • Name: Give the rule a descriptive name, such as "redirect_dns".
   • Protocol: Select "TCP and UDP".
   • Source zone: Select the VPN zone you created earlier.
   • Destination zone: Select "This device (input)".
   • Destination port: Enter "53" (the standard DNS port).
   • Action: Accept
5. Save and apply the changes.

Advanced Configuration

Now that we've covered the basic setup, let's explore some advanced configurations that can further enhance your OpenVPN firewall setup.

1. Using Custom Firewall Scripts

For more complex setups, you might want to use custom firewall scripts. OpenWrt allows you to add custom rules directly to the firewall configuration using the /etc/firewall.user file. You can add iptables commands to this file to implement advanced filtering or routing rules.

2. Implementing Intrusion Detection

Consider integrating an intrusion detection system (IDS) like Snort or Suricata to monitor your network traffic for malicious activity. These tools can detect and prevent attacks in real-time, adding an extra layer of security to your OpenVPN setup.

3. Setting Up Port Knocking

Port knocking is a technique that requires clients to send a sequence of connection attempts to different ports before the OpenVPN server will accept a connection. This adds an extra layer of authentication and can help prevent unauthorized access.

Testing Your Configuration

After configuring your firewall, it's essential to test it thoroughly to ensure that everything is working as expected. Here are some tests you can perform:

• Connectivity Test: Connect to your VPN from a client device and verify that you can access the internet.
• DNS Leak Test: Use a DNS leak testing tool to ensure that your DNS traffic is being routed through the VPN tunnel.
• Port Scan: Use a port scanning tool to scan your OpenVPN server and verify that only the OpenVPN port is open.

Conclusion

Configuring the firewall settings for OpenVPN on OpenWrt is a critical step in securing your network. By following this guide, you can create a robust firewall configuration that protects your OpenVPN server and clients from potential threats. Remember to test your configuration thoroughly and regularly review your firewall rules to ensure they are still effective.

By implementing these steps, you're not just setting up a VPN; you're building a secure and private network. So go ahead, protect your data, and enjoy a safer online experience!