This guide details configuring nftables for an OpenVPN server, enhancing security and control over network traffic. It assumes a basic understanding of both OpenVPN and nftables.
Ensure OpenVPN is installed and configured. Note the network interface (e.g., tun0) and subnet used by OpenVPN (e.g., 10.8.0.0/24).
Install nftables: apt install nftables (Debian/Ubuntu) or yum install nftables (CentOS/RHEL).
Enable and start nftables: systemctl enable nftables and systemctl start nftables.
Create the nftables configuration file (e.g., /etc/nftables.conf).
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow established/related connections
ct state {established, related} accept
# Allow loopback traffic
iif lo accept
# Allow SSH (adjust port if needed)
tcp dport 22 accept
# Allow OpenVPN traffic (adjust port and interface)
udp dport 1194 iif eth0 accept
# ICMP
icmp type {echo-request, echo-reply, destination-unreachable, time-exceeded} accept
}
chain forward {
type filter hook forward priority 0; policy drop;
# Allow forwarding from OpenVPN interface
iif tun0 accept
# Masquerade traffic from OpenVPN subnet (adjust subnet and interface)
oif eth0 ip saddr 10.8.0.0/24 masquerade
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Load the configuration: nft -f /etc/nftables.conf.
Key points:
flush ruleset: Clears any existing rules. Use with caution on production systems.
table inet filter: Creates a filter table for IPv4 and IPv6.
chain input: Handles incoming traffic to the server.
chain forward: Handles traffic being forwarded through the server.
chain output: Handles outgoing traffic from the server.
ct state {established, related} accept: Essential for allowing return traffic for established connections.
masquerade: Performs NAT for OpenVPN clients.
Configure OpenVPN to push DNS servers to clients. Edit your OpenVPN server config (e.g., /etc/openvpn/server.conf):
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
Replace 8.8.8.8 and 8.8.4.4 with your preferred DNS servers.
Restart OpenVPN: systemctl restart openvpn@server (adjust the service name as needed).
Pitfall: Forgetting to enable IP forwarding in the kernel. Edit /etc/sysctl.conf and uncomment net.ipv4.ip_forward=1. Then, run sysctl -p.
Check: Use nft list ruleset to verify the nftables rules are loaded correctly.
Check: From an OpenVPN client, verify you can ping external addresses (e.g., ping 8.8.8.8).
Pitfall: Ensure your cloud provider's firewall allows UDP traffic on the OpenVPN port.
Pitfall: Misconfigured subnets can lead to routing issues. Double-check the OpenVPN subnet and the masquerade rule.
Install and configure OpenVPN.
Install and enable nftables.
Create and load the nftables configuration file.
Configure DNS settings in OpenVPN.
Enable IP forwarding in the kernel.
Verify nftables rules are loaded.
Test connectivity from an OpenVPN client.
Check cloud provider firewall rules.