OpenVPN 2.x and Windows Firewall

The documentation for OpenVPN is pretty good, but I found a detail that may cause some confusion in a Windows environment, so I thought I’d address it here:

What do you do if you need to run OpenVPN but still want the Windows Firewall to work on your Windows server?

The background for this issue is how Windows decides what profile to use for a specific network: It reads the gateway address. The TAP interface for OpenVPN doesn’t automatically receive a gateway, so the network profile for it will be “Unknown network”, and so it won’t allow the necessary traffic for the OpenVPN connection to be properly established.

So what do you do?

First, open up a port in your firewall to allow for the initial handshake to be made between the client and the server. By default, this is UDP port 1194. Then we need to take a step back. We don’t want to open an uncontrolled pipe from the VPN client to the server, which is exactly what happens if you turn off the firewall for the VPN TAP device.

Instead, we’ll do two things:

1) Give the OpenVPN TAP device a gateway. In the server configuration for OpenVPN, you assign a subnet to be used by OpenVPN. The server will be [subnet].1. The gateway will be [subnet].2.

2) Some people claim that the above doesn’t always work unless you set the status of the TAP device to “always connected”, so let’s do that.

The result?

You now have control over data in the VPN tunnel too, using Windows firewall, meaning that you can stop unwanted traffic within the tunnel easily.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s