Iptables recognizing OpenVPN traffic?

itnifl
itnifl used Ask the Experts™
on
Is there any way for Iptables to recognize OpenVPN traffic? I was hoping there would be some string that could be filtered from the packets, or any kind of identification that this is OpenVPN traffic.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You can identify openVPN traffic by protocol/port of the traffic - by default UDP port 1194 (version 2.0) or UDP port 5000 (version 1). The port can be changed with port and protocol configuration directive.

The whole idea of the VPN connection is that the contents is encrypted - you can not see the content of the packets on the firewall.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
And once the packets are unencrypted, the only way to find out it is OpenVPN generated traffic is by filtering on IP addresses (of the IP pool used for OpenVPN).
Dave HoweSoftware and Hardware Engineer

Commented:
the openvpn protocol is pretty well documented, but there is no pre-existing module to identify the traffic or even decrypt it from intercept - it isn't really SSL, but a related protocol using x509 for key negotiation (and even that's optional; you can instead use a keyblock that contains around 16 keys, of which up to 4 will be used for a session)
itniflProgrammer

Author

Commented:
I was wanting to deny all traffic on port 1194(openVPN) if the traffic is not openVPN. Any type of traffic can be directed against that port. But I guess that is not very easy.
Software and Hardware Engineer
Commented:
assuming you have openvpn mapped to a specific internal host, then allowing that traffic will only allow openvpn - because the listener will drop any non-openvpn traffic.

outbound is harder, but if you use tcp rather than udp, you don't have to worry about replies to inbound traffic, leaving only outbound connects (and allowing that specific port when you are no doubt allowing 80 and 443 already isn't much of a leap)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial