I've set up a tunnel over openvpn. I've got a WAN IP routed over the tunnel to other end, so I can masquerade / SNAT as well as my own static IPs.
Only issue I've got, on my ASL server, got to whitelist the distant/origin end of the tunnel (10.9.0.1). I've whitelisted only my local end (10.9.0.2) but any fwd traffic inbound doesn't get accepted even though there's strict allowed rules in asl firewall for all my inbound traffic.
I've got a router on the fiber and routing marking, etc that's in between. So I'm definitely seeing these incoming packets to dst 80 and 443 (what else I'm testing with) via the right src IP of the tunnel.
If I whitelist both local and distant (origin) end then all my fwds port 80, 443, 22, etc all works perfectly as I'm getting pages / responses.
I did see a few ip is a hostname complains in the ossec-hids and on the asl gui. But that was not stopping it....
Nothing special origin end I'm just:
-A PREROUTING -d xx.xx.xx.xx (wan ip) -p tcp -m tcp -j DNAT --to-destination 10.9.0.2
-A POSTROUTING -d 10.9.0.2 -o tun0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.2 -j SNAT --to-source xx.xx.xx.xx (wan ip)
Any ideas, Id rather not whitelist the origin end (10.9.0.1) of the tunnel as its forwarding /::0 off the internet?
I even threw up another openvpn on another distant router same iptables / fwd from there but again had to whitelist both sides of that tunnel to get responses back also.
My router on the fibre is the master routing point and I'm purely routing - so I/C traffic via dst ports are forwarded, the rest get ignored or dropped so its not like I'm DMZ and open.... That router also does the routing packet marking for my dst traffic to go down the right multiple route to /::0, either direct or tunnel to the WAN IP I'm SNAT back to, now with two tunnels
Anyway any thoughts on the whitelisting necessity of origin end of the tunnels?
Thanks!