OpenVPN with CSF firewall rules

We are a big fan of OpenVPN when it comes to security. Many organizations have already switched to OpenVPN from PPTP etc.

NixVPN is my favorite VPN software to host it on a standalone instance. But what if, if you already have a server protected with CSF firewall, and you want to install OpenVPN by yourself. You may face some issues like enabling routing on the iotables level.

If you have already configured your OpenVPN and authentication is working fine, and you still dont have internet access once connected, please try the below.

Enable IP forwarding

On CentOS / RHEL 6,

change net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1 in /etc/sysctl.conf and run the below

sysctl -p

On CentOS / RHEL 7,

create a new file /etc/sysctl.d/openvpn.conf and add the below content to it,

net.ipv4.ip_forward = 1

then restart the service

sysctl -p
systemctl restart systemd-sysctl.service


Adding firewall rules to the CSF
Note : If you are not using CSF, you can add the below rules directly to iptables.

vim /etc/csf/ and add the below contents to it.

Replace eth0 with your interfacename

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun0 -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

Add +x permission to the file

chmod +x /etc/csf/

Now disable and enable CSF to apply the rules.

csf -x && csf -e

Now re-connect your OpenVPN client and you will be able to access the internet.

0 0 votes
Article Rating
Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
1 year ago

Nice one, thanks!

Would love your thoughts, please comment.x
Scroll to Top