Question

Allow OpenVPN clients to connect to local SOCKS5 proxy

I’ve set up an OpenVPN server with personal keys on a droplet that works. Now I’ve installed a tor client on the droplet, it set up a SOCKS5 proxy on port 9050 that also works:

curl --socks5 localhost:9050 google.com

Returns:

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
..blah

The problem is that OpenVPN clients are unable to connect to 9050 port on the server. It seems like I need to unblock the port in firewall.

My task is to allow OpenVPN clients to connect to 9050 port on the server without exposing the port to the internet.

Iptables make me weep, please help me with the incantation that I can use with ufw or iptables to allow this scenario.

Any help is appreciated, thank you!



$ cat /etc/ufw/before.rules
# Output:
#########

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
June 28, 2023

Hi there,

You’re on the right track, and you’re correct that you’ll need to modify your firewall rules to allow OpenVPN clients to connect to the SOCKS5 proxy on port 9050.

In this case, since you’re using UFW, you should be able to add the necessary rule with a command like this:

sudo ufw allow in on tun0 to any port 9050

Here’s what this command does:

  • allow in: This tells UFW to allow incoming traffic.
  • on tun0: This specifies that the rule should only apply to traffic coming in on the tun0 interface, which is the interface that OpenVPN uses. Replace tun0 with the actual tun interface name if it’s different in your case.
  • to any port 9050: This specifies that the rule should apply to traffic destined for port 9050.

This rule should allow any OpenVPN client to connect to the SOCKS5 proxy on port 9050, but it won’t expose the port to the wider internet because the rule is specific to the tun0 interface.

After you’ve added the rule, you can use the sudo ufw status command to check that it’s been added correctly. The output should include a line like this:

Anywhere on tun0             ALLOW       Anywhere on port 9050

This assumes that you’ve already set up OpenVPN to route client traffic through the VPN. If you haven’t done that yet, you’ll need to modify your OpenVPN server configuration to include the push "redirect-gateway def1" option.

Best,

Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel