Hi,
I was able to configure OpenVPN with FreePBX using SysAdmin. I was able also to configure my remote GrandStream GXP2130 to register to FreePBX and the calls are working fine, so up to this point i’m a happy camper.
Now, i decided to test downloading the OpenVPN client and use the same configuration files i use for the phone to configure it and, yes, it works fine and i can even register a soft phone on my computer.
The OpenVPN server is running on the default address 10.8.0.1 (255.255.255.0) and my FreePBX/Asterisk is running on my LAN on 10.0.0.14 (255.255.255.0).
So then i tried to SSH into 10.0.0.14 and it didn’t work, but i noticed it was just because there was no route for 10.0.0.0/24. I added the route and now, not only i can SSH and web into 10.0.0.14, but i can also access othe servers on that subnet like 10.0.0.15
Even if the chances of somebody getting the configuration off the phone and connecting to the VPN and creating the missing routes, connecting to the servers and hacking the passwords is slim… i don’t feel comfortable having a VPN for phones, having access to all my network.
So my question is: what is the best practice to restrict the traffic from 10.8.0.x to anything on the 10.0.0.x? – i could live with it having access to the 10.0.0.14 (FreePBX), but ideally, it would be only the 5060 and RTP ports.
Currently, my VPN client gets assigned the 10.8.0.2 address.
I’m not sure if this is a missing configuration on OpenVPN or if it is meant to be accomplished by using iptables – which i don’t have experience with.
Below some relavant configuration for your reference.
Thanks for any guidance.
Camilo
/etc/openvpn/sysadmin_server1.conf
# Configuration automatically generated via Sysadmin RPM
# MODIFICATIONS TO THIS FILE WILL BE OVERWRITTEN.
# Generated at: Sat, 07 Oct 2023 11:21:27 +0000
port 1194
proto udp
dev tun
topology subnet
ca sysadmin_ca.crt
dh sysadmin_dh.pem
crl-verify sysadmin_crl.pem
cert sysadmin_server1.crt
key sysadmin_server1.key
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
client-config-dir ccd
ccd-exclusive
status sysadmin_server1-status.log 10
status-version 3
script-security 2
reneg-sec 3600
server 10.8.0.0 255.255.255.0
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-PBX-GUI all -- anywhere anywhere
fail2ban-SSH tcp -- anywhere anywhere multiport dports ssh
fail2ban-apache-auth all -- anywhere anywhere
fail2ban-FTP tcp -- anywhere anywhere multiport dports ftp
fail2ban-BadBots tcp -- anywhere anywhere multiport dports http,https
fail2ban-api tcp -- anywhere anywhere multiport dports http,https
fail2ban-zulu tcp -- anywhere anywhere
fail2ban-recidive all -- anywhere anywhere
fail2ban-SIP all -- anywhere anywhere
fpbxfirewall all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-FTP (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-PBX-GUI (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-SIP (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-api (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-recidive (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-zulu (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fpbx-rtp (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp
ACCEPT udp -- anywhere anywhere udp dpts:terabase:hfcs-manager
Chain fpbxattacker (6 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name: ATTACKER side: source mask: 255.255.255.255
DROP all -- anywhere anywhere
Chain fpbxblacklist (1 references)
target prot opt source destination
Chain fpbxchecktempwhitelist (1 references)
target prot opt source destination
fpbxtempwhitelist all -- anywhere anywhere ! recent: CHECK name: REPEAT side: source mask: 255.255.255.255
Chain fpbxfirewall (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere connmark match ! 0x20 state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere anywhere PKTTYPE = multicast
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
fpbx-rtp all -- anywhere anywhere
fpbxblacklist all -- anywhere anywhere
fpbxsignalling all -- anywhere anywhere
fpbxsmarthosts all -- anywhere anywhere
fpbxregistrations all -- anywhere anywhere
fpbxnets all -- anywhere anywhere
fpbxhosts all -- anywhere anywhere
fpbxinterfaces all -- anywhere anywhere
fpbxreject all -- anywhere anywhere
fpbxrfw all -- anywhere anywhere mark match 0x2/0x2
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
lefilter tcp -- anywhere anywhere match-set lefilter dst
fpbxlogdrop all -- anywhere anywhere
Chain fpbxhosts (1 references)
target prot opt source destination
zone-trusted all -- localhost anywhere
Chain fpbxinterfaces (1 references)
target prot opt source destination
zone-external all -- anywhere anywhere
zone-internal all -- anywhere anywhere
Chain fpbxknownreg (3 references)
target prot opt source destination
all -- anywhere anywhere recent: REMOVE name: REPEAT side: source mask: 255.255.255.255
all -- anywhere anywhere recent: REMOVE name: ATTACKER side: source mask: 255.255.255.255
all -- anywhere anywhere recent: REMOVE name: TEMPWHITELIST side: source mask: 255.255.255.255
all -- anywhere anywhere recent: REMOVE name: WHITELIST side: source mask: 255.255.255.255
MARK all -- anywhere anywhere MARK or 0x4
ACCEPT all -- anywhere anywhere mark match 0x1/0x1
fpbxsvc-ucp all -- anywhere anywhere
fpbxsvc-zulu all -- anywhere anywhere
fpbxsvc-restapps all -- anywhere anywhere
fpbxsvc-restapps_ssl all -- anywhere anywhere
fpbxsvc-provis all -- anywhere anywhere
fpbxsvc-provis_ssl all -- anywhere anywhere
fpbxsvc-api all -- anywhere anywhere
fpbxsvc-api_ssl all -- anywhere anywhere
Chain fpbxlogdrop (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain fpbxnets (1 references)
target prot opt source destination
zone-trusted all -- 10.0.0.0/24 anywhere
zone-internal all -- 10.8.0.0/24 anywhere
Chain fpbxratelimit (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere mark match 0x4/0x4
ACCEPT all -- anywhere anywhere recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
all -- anywhere anywhere state NEW recent: SET name: REPEAT side: source mask: 255.255.255.255
all -- anywhere anywhere state NEW recent: SET name: DISCOVERED side: source mask: 255.255.255.255
LOG all -- anywhere anywhere LOG level warning
fpbxattacker all -- anywhere anywhere recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
fpbxattacker all -- anywhere anywhere recent: CHECK seconds: 86400 hit_count: 200 name: REPEAT side: source mask: 255.255.255.255
fpbxattacker all -- anywhere anywhere recent: CHECK seconds: 300 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
fpbxshortblock all -- anywhere anywhere recent: CHECK seconds: 60 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere
Chain fpbxregistrations (1 references)
target prot opt source destination
fpbxknownreg all -- 10.8.0.2 anywhere
Chain fpbxreject (1 references)
target prot opt source destination
rejsvc-nfs all -- anywhere anywhere
rejsvc-smb all -- anywhere anywhere
Chain fpbxrfw (1 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name: DISCOVERED side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere recent: CHECK seconds: 90 hit_count: 1 name: TEMPWHITELIST side: source mask: 255.255.255.255
fpbxchecktempwhitelist all -- anywhere anywhere ! recent: CHECK seconds: 86400 name: TEMPWHITELIST side: source mask: 255.255.255.255
all -- anywhere anywhere recent: REMOVE name: TEMPWHITELIST side: source mask: 255.255.255.255
all -- anywhere anywhere recent: SET name: REPEAT side: source mask: 255.255.255.255
fpbxattacker all -- anywhere anywhere recent: CHECK seconds: 10 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
fpbxattacker all -- anywhere anywhere recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
fpbxshortblock all -- anywhere anywhere recent: CHECK seconds: 60 hit_count: 10 name: SIGNALLING side: source mask: 255.255.255.255
all -- anywhere anywhere recent: SET name: SIGNALLING side: source mask: 255.255.255.255
fpbxattacker all -- anywhere anywhere recent: CHECK seconds: 86400 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere
Chain fpbxshortblock (2 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name: CLAMPED side: source mask: 255.255.255.255
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain fpbxsignalling (1 references)
target prot opt source destination
MARK udp -- anywhere anywhere udp dpt:5160 MARK set 0x3
MARK udp -- anywhere anywhere udp dpt:sip MARK set 0x3
Chain fpbxsmarthosts (1 references)
target prot opt source destination
Chain fpbxsvc-api (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:85
Chain fpbxsvc-api_ssl (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:powerclientcsf
Chain fpbxsvc-chansip (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:5160
Chain fpbxsvc-ftp (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
Chain fpbxsvc-http (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Chain fpbxsvc-https (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain fpbxsvc-iax (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:iax
Chain fpbxsvc-isymphony (0 references)
target prot opt source destination
Chain fpbxsvc-letsencrypt (0 references)
target prot opt source destination
Chain fpbxsvc-nfs (0 references)
target prot opt source destination
Chain fpbxsvc-ntp (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:ntp
Chain fpbxsvc-pjsip (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:sip
Chain fpbxsvc-provis (3 references)
target prot opt source destination
fpbxratelimit tcp -- anywhere anywhere tcp dpt:mit-ml-dev
Chain fpbxsvc-provis_ssl (1 references)
target prot opt source destination
Chain fpbxsvc-restapps (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ctf
Chain fpbxsvc-restapps_ssl (1 references)
target prot opt source destination
Chain fpbxsvc-smb (0 references)
target prot opt source destination
Chain fpbxsvc-sng_phone_svc (1 references)
target prot opt source destination
Chain fpbxsvc-ssh (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain fpbxsvc-tftp (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:tftp
Chain fpbxsvc-ucp (4 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:81
ACCEPT tcp -- anywhere anywhere tcp dpt:vcom-tunnel
Chain fpbxsvc-ucp_ssl (2 references)
target prot opt source destination
Chain fpbxsvc-vpn (3 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
Chain fpbxsvc-webrtc (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:radan-http
ACCEPT tcp -- anywhere anywhere tcp dpt:8089
Chain fpbxsvc-xmpp (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:xmpp-client
Chain fpbxsvc-zulu (1 references)
target prot opt source destination
Chain fpbxtempwhitelist (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere recent: SET name: TEMPWHITELIST side: source mask: 255.255.255.255
Chain lefilter (1 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere state NEW CONNMARK set 0x20
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere STRING match "GET /.well-known/acme-challenge/" ALGO name kmp FROM 52 TO 53
ACCEPT all -- anywhere anywhere STRING match "GET /.freepbx-known/" ALGO name kmp FROM 52 TO 53
RETURN all -- anywhere anywhere
Chain rejsvc-nfs (1 references)
target prot opt source destination
Chain rejsvc-smb (1 references)
target prot opt source destination
Chain zone-external (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x10
fpbxsvc-ucp all -- anywhere anywhere
fpbxsvc-vpn all -- anywhere anywhere
fpbxsvc-xmpp all -- anywhere anywhere
Chain zone-internal (2 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x4
fpbxsvc-ssh all -- anywhere anywhere
fpbxsvc-http all -- anywhere anywhere
fpbxsvc-https all -- anywhere anywhere
fpbxsvc-ucp all -- anywhere anywhere
fpbxsvc-ucp_ssl all -- anywhere anywhere
fpbxsvc-pjsip all -- anywhere anywhere
fpbxsvc-chansip all -- anywhere anywhere
fpbxsvc-iax all -- anywhere anywhere
fpbxsvc-webrtc all -- anywhere anywhere
fpbxsvc-api all -- anywhere anywhere
fpbxsvc-api_ssl all -- anywhere anywhere
fpbxsvc-ntp all -- anywhere anywhere
fpbxsvc-sng_phone_svc all -- anywhere anywhere
fpbxsvc-provis all -- anywhere anywhere
fpbxsvc-vpn all -- anywhere anywhere
fpbxsvc-restapps all -- anywhere anywhere
fpbxsvc-xmpp all -- anywhere anywhere
fpbxsvc-ftp all -- anywhere anywhere
fpbxsvc-tftp all -- anywhere anywhere
Chain zone-other (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x8
fpbxsvc-ucp all -- anywhere anywhere
fpbxsvc-ucp_ssl all -- anywhere anywhere
fpbxsvc-provis all -- anywhere anywhere
fpbxsvc-vpn all -- anywhere anywhere
fpbxsvc-xmpp all -- anywhere anywhere
Chain zone-trusted (8 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere