Red Hat Bugzilla – Bug 255081
OpenVPN blocked by firewall
Last modified: 2007-11-30 17:12:14 EST
openvpn is distributed with Fedora, but is blocked by the standard firewall.
Since openvpn provides a very useful and very secure protocol, I think that it
would make sense to simplify the process of unblocking it, or even unblock it by
default (as is done with IPSec).
In order to use openvpn the user has to open a udp port (1194) that is currently
unlisted in "Other Ports" box and add a custom iptables configuration file with
either or both of the following rules (or their equivalent):
-A RH-Firewall-1-INPUT -i tap+ -j ACCEPT
-A RH-Firewall-1-INPUT -i tun+ -j ACCEPT
Listing the udp 1194 port in the "Other Ports" list would be a small positive
step, but adding it to the "Trusted Services" would be better. Including the
tap+ and tun+ interfaces in the "Trusted Interfaces" list would be a really
valuable step, as it would obviate the need to create a custom iptables config.
I think that the balance of the argument would favor opening 1194 by default.
Granting tun+ and tap+ interfaces open access by default would only have limited
security implications, since they loop back to the localhost. However, I am not
really too bothered what the defaults are ... so long as I can change them :).
Fixed in system-config-firewall-1.0.7-1.
You an now accept traffic from tun devices and there is a prefedined OpenVPN