DigitalOcean

Report this

What is the reason for this report?
Question

Allow OpenVPN clients to connect to local SOCKS5 proxy

Posted on April 11, 2020
Firewall
boomie

By boomie

I’ve set up an OpenVPN server with personal keys on a droplet that works. Now I’ve installed a tor client on the droplet, it set up a SOCKS5 proxy on port 9050 that also works:

curl --socks5 localhost:9050 google.com

Returns:

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
..blah

The problem is that OpenVPN clients are unable to connect to 9050 port on the server. It seems like I need to unblock the port in firewall.

My task is to allow OpenVPN clients to connect to 9050 port on the server without exposing the port to the internet.

Iptables make me weep, please help me with the incantation that I can use with ufw or iptables to allow this scenario.

Any help is appreciated, thank you!



$ cat /etc/ufw/before.rules
# Output:
#########

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Bobby
Bobby
June 28, 2023

Hi there,

You’re on the right track, and you’re correct that you’ll need to modify your firewall rules to allow OpenVPN clients to connect to the SOCKS5 proxy on port 9050.

In this case, since you’re using UFW, you should be able to add the necessary rule with a command like this:

sudo ufw allow in on tun0 to any port 9050

Here’s what this command does:

  • allow in: This tells UFW to allow incoming traffic.
  • on tun0: This specifies that the rule should only apply to traffic coming in on the tun0 interface, which is the interface that OpenVPN uses. Replace tun0 with the actual tun interface name if it’s different in your case.
  • to any port 9050: This specifies that the rule should apply to traffic destined for port 9050.

This rule should allow any OpenVPN client to connect to the SOCKS5 proxy on port 9050, but it won’t expose the port to the wider internet because the rule is specific to the tun0 interface.

After you’ve added the rule, you can use the sudo ufw status command to check that it’s been added correctly. The output should include a line like this:

Anywhere on tun0             ALLOW       Anywhere on port 9050

This assumes that you’ve already set up OpenVPN to route client traffic through the VPN. If you haven’t done that yet, you’ll need to modify your OpenVPN server configuration to include the push "redirect-gateway def1" option.

Best,

Bobby

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.