Bug 255081

Summary: OpenVPN blocked by firewall
Product: [Fedora] Fedora Reporter: Felix Bellaby <felixbellaby>
Component: system-config-firewallAssignee: Thomas Woerner <twoerner>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-01 12:37:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Felix Bellaby 2007-08-26 15:12:08 UTC 
openvpn is distributed with Fedora, but is blocked by the standard firewall.
Since openvpn provides a very useful and very secure protocol, I think that it
would make sense to simplify the process of unblocking it, or even unblock it by
default (as is done with IPSec).

In order to use openvpn the user has to open a udp port (1194) that is currently
unlisted in "Other Ports" box and add a custom iptables configuration file with
either or both of the following rules (or their equivalent):

-A RH-Firewall-1-INPUT -i tap+ -j ACCEPT
-A RH-Firewall-1-INPUT -i tun+ -j ACCEPT

Listing the udp 1194 port in the "Other Ports" list would be a small positive
step, but adding it to the "Trusted Services" would be better. Including the
tap+ and tun+ interfaces in the "Trusted Interfaces" list would be a really
valuable step, as it would obviate the need to create a custom iptables config. 

I think that the balance of the argument would favor opening 1194 by default. 
Granting tun+ and tap+ interfaces open access by default would only have limited
security implications, since they loop back to the localhost. However, I am not
really too bothered what the defaults are ... so long as I can change them :).
Comment 1 Thomas Woerner 2007-10-01 12:37:30 UTC 
Fixed in system-config-firewall-1.0.7-1.

You an now accept traffic from tun devices and there is a prefedined OpenVPN
service.