I’ve set up an OpenVPN server with personal keys on a droplet that works. Now I’ve installed a tor client on the droplet, it set up a SOCKS5 proxy on port 9050 that also works:
curl --socks5 localhost:9050 google.com
Returns:
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
..blah
The problem is that OpenVPN clients are unable to connect to 9050
port on the server. It seems like I need to unblock the port in firewall.
My task is to allow OpenVPN clients to connect to 9050
port on the server without exposing the port to the internet.
Iptables make me weep, please help me with the incantation that I can use with ufw or iptables
to allow this scenario.
Any help is appreciated, thank you!
$ cat /etc/ufw/before.rules
# Output:
#########
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Hi there,
You’re on the right track, and you’re correct that you’ll need to modify your firewall rules to allow OpenVPN clients to connect to the SOCKS5 proxy on port 9050.
In this case, since you’re using UFW, you should be able to add the necessary rule with a command like this:
Here’s what this command does:
allow in
: This tells UFW to allow incoming traffic.on tun0
: This specifies that the rule should only apply to traffic coming in on thetun0
interface, which is the interface that OpenVPN uses. Replacetun0
with the actual tun interface name if it’s different in your case.to any port 9050
: This specifies that the rule should apply to traffic destined for port 9050.This rule should allow any OpenVPN client to connect to the SOCKS5 proxy on port 9050, but it won’t expose the port to the wider internet because the rule is specific to the
tun0
interface.After you’ve added the rule, you can use the
sudo ufw status
command to check that it’s been added correctly. The output should include a line like this:This assumes that you’ve already set up OpenVPN to route client traffic through the VPN. If you haven’t done that yet, you’ll need to modify your OpenVPN server configuration to include the
push "redirect-gateway def1"
option.Best,
Bobby