Bug 255081 - OpenVPN blocked by firewall
OpenVPN blocked by firewall
Product: Fedora
Classification: Fedora
Component: system-config-firewall (Show other bugs)
All All
medium Severity low
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-08-26 11:12 EDT by Felix Bellaby
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-01 08:37:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Felix Bellaby 2007-08-26 11:12:08 EDT
openvpn is distributed with Fedora, but is blocked by the standard firewall.
Since openvpn provides a very useful and very secure protocol, I think that it
would make sense to simplify the process of unblocking it, or even unblock it by
default (as is done with IPSec).

In order to use openvpn the user has to open a udp port (1194) that is currently
unlisted in "Other Ports" box and add a custom iptables configuration file with
either or both of the following rules (or their equivalent):

-A RH-Firewall-1-INPUT -i tap+ -j ACCEPT
-A RH-Firewall-1-INPUT -i tun+ -j ACCEPT

Listing the udp 1194 port in the "Other Ports" list would be a small positive
step, but adding it to the "Trusted Services" would be better. Including the
tap+ and tun+ interfaces in the "Trusted Interfaces" list would be a really
valuable step, as it would obviate the need to create a custom iptables config. 

I think that the balance of the argument would favor opening 1194 by default. 
Granting tun+ and tap+ interfaces open access by default would only have limited
security implications, since they loop back to the localhost. However, I am not
really too bothered what the defaults are ... so long as I can change them :).
Comment 1 Thomas Woerner 2007-10-01 08:37:30 EDT
Fixed in system-config-firewall-1.0.7-1.

You an now accept traffic from tun devices and there is a prefedined OpenVPN

Note You need to log in before you can comment on or make changes to this bug.