Return to Level1Techs.com

Firewall for very specific use case

so… just a short introduction may be necessary…
I’m more of a regular on the LTT forums side of things, but it seems my issue fell a little out of place there, so here’s me hoping this side of the pond can help me out. parts of this post are copy/paste’s, so if i screw up formatting, help me out here.

i’m looking for a VERY specific VPN / Firewall implementation, essentially intending to create a replacement for having to set up passwords, whitelists, block out server list ports, etc.

in other words, i want something i can throw in a VM on my server, that does the following:

  • user needs to connect trough windows’ built in VPN (NO exceptions here, end users are dum users)

  • all connected users need to be seperated (cannot ping each other, etc.)

  • this same VM needs a form of “port forwarding” where i can easily allow or disallow access to a certain port, on a certain IP address.

  • this all, ideally, fits in a VM with 1GB RAM or less.

the idea is an end user can connect to my server via windows’ VPN, can only see/ping the “host” IP address there, which is in itself sort of the “WAN” ip address on a router, on which specific ports are forwarded to the actual game servers. the VPN aspect being the passworded “gate”, relieving the endless annoyance of password configuration and ensuring things are properly walled off.

I dont particularly care about a high security VPN protocol, because essentially all that’ll go over it is meant for public internet anyways.

there’s a few things i do care about, that have proven to be difficult to find as a whole package:

  • ease of use, both for me and the end users
  • low resource usage (preferably a 1GB RAM VM or less)
  • preferably a single VM solution

Things i’ve tried, and why they failed

  • PFsense: VPN configuration is horrible, even when following the official guide to the letter. creating firewall rules (“port forwarding”) is beyond the level of complexity i’d prefer to deal with.

  • OPNsense: see above

  • IPFire: this web interface is actually worse than D-link…

  • iptables (linux): PLEASE SOMEONE FIND ME AN EASY TO USE INTERFACE FOR THIS… I NEED THIS IN MY LIFE.


or as a TLDR: it needs to be a VM, it needs to have a VPN function that works with windows VPN, and it needs to have quick (preferably visual) setup of port forwarding rules.

Put simply what you are asking for is quite complex and while it seems overly complicated to use something like pfSense, it’s what is required. You have entered the realm of enterprise networking.

Before you even start on any of this it’s clear that you have little experience with iptables per your comment asking for an easy interface. You’re dealing with enterprise-grade firewalling here and as such it can be configured in any one of hundreds if not thousands of ways, there will never be a “feature complete” interface as you’re asking for that is simple or easy.

I highly recommend you learn iptables, how to setup routing tables using ip route before you even begin on this. Mess around with setting up a from-scratch OpenVPN server and client just for learning purposes and go from there.

As for pfSense, while it’s not perfect it IMO is one of the best solutions on the market for all of this, and it is possible to do what your asking for with it provided you have the founding understanding of how things work in the network stack.

Btw OpenVPN explicitly denies p2p comms unless told otherwise, which is what you’re looking for, and while it may not be “windows based”, you can give your users a simple file to open with the OpenVPN client and it will do the rest. You can even setup a private certificate authority and issue certs to your users, that way they don’t even need a password.

4 Likes

I dont see why it has to be complex, it’s essentially a device with 2 network interfaces: the LAN side, and the “VPN WAN” side, the latter being whatever VPN service ends up working.
the device needs an interface (graphical or text) where i can add rules that forward a port on the “VPN WAN” side, to another device on the LAN side, can show me which rules exist, which are active, and has a way to activate and deactivate rules.

i dont need my interface to be “feature complete”, i need it to do the basic stuff so i can get on with life. I simply dont have the time to deal with iptables’ command line interface.

the second half of this story is something every home router can do, but it seems that ease of use is limited to home routers.

You have exceeded the basic stuff by mixing in a VPN with specific requirements.

Which is exactly what packages like pfSense are trying to do, but as I stated, there are many many possible configurations of a gateway/router/vpn/firewall, etc… if they just stick to a single paradigm their product would be useless for all the edge cases like yours.

That might be the case, but what you are asking for is not something you can do without learning it. If you really want something to manage iptables for you, you are still going to have to learn that tool too. At the end of the day, you have to understand the IP stack and what IP tables is doing, etc.

Since you want to prevent peer 2 peer VPN communciations while allowing traffic out a gateway you will also have to learn about pushing static routes to your clients, etc. And then firewalling your clients from each other on the router without preventing forwarded traffic from being rejected.

You then are also asking to port forward back through the VPN to your client. Port forwards are static rules, what happens if your client disconnects, or is not connected? the rule can’t exist as the tun/tap device wont exist for them.

What you are asking for is not simple.

1 Like

What about dd-wrt as a VM?

Seems like it checks all the boxes you have.

https://wiki.dd-wrt.com/wiki/index.php/X86

1 Like

@manikyath Apologies, I don’t exactly understand the full use-case of what you want to achieve. Maybe summarize the high-level objective without describing what you think the solution needs to be? There maybe some other solution someone can point you towards.

However, from what you’ve said it sounds like you want some of the capabilities that some routers designed for smaller businesses offer (e.g. the easy set up for VPN and port forwarding), on the other hand some of what you wrote almost sounds like a reverse proxy.

How do your recommendations of pfsense router and using iptables/iproute2 work together?

I am not recommending pfsense and iptables together (pfsense is BSD), I am making the point that to do what he needs he will need to put some effort in and learn these lower level tools if he is not willing to learn pfSense or something similar.

1 Like

i was not aware dd-wrt for x86 existed, i will try it out.

in a simple “1: gather underpants, 2: ?, 3: profit” explanation:

  • end user connects to a VPN using windows’ built in VPN client.
  • in the middle is a magical object that hosts a VPN server, has an IP address the VPN clients can connect to, and has a way to “port forward” as if the VPN was the WAN on a regular home router.
  • the forwarding rules point to vareous TCP and UDP services, and can be enabled/disabled relatively easily.

Thanks for clarifying. It does look like suggestions already made will do what you want.

so… i’ve ran into a few snags… some frustrating, some critical:

  • i’ve been messing with “shorewall” on linux, seems to work fine enough, except i couldnt get the DNAT rules to do anything…

  • after smashing a few keyboards, i’ve more or less got DD-WRT to run in a VM, but still no forwarding rules, and i somehow can only access DD-WRT’s web interface when both interfaces are in the same VLAN…

  • then the big snag: i just realised i only have a single public facing IP address, and i already have a windows VPN set up for my laptop, so the VPN idea is somewhat out the window as a whole since it cant do non-standard ports…

anyone have some alternative ideas, that would largely create the same concept, and dont require end users to install anything? (portable software is fine, installing no.)
i know SSH can do some port redirection stuff, but i really have no experience with how that works…

My suggestion if you’re looking for a basic but functional firewall is Fail2Ban. It doesen’t have a GUI but learning to modify the config file is stupidly easy and requires 5 minutes at best.

For what you need to do you can’t just throw a firewall at it but you need an infrastructure. Or just set up an OpenVPN client on the machine your devices will connect to and you’re basically done.

It would help to actually understand what you’re working with. All we know is you have some people who need access to some service and ONLY that service via some kind of credentials.

I could recommend things that might help, or I could continue to take shots in the dark and recommend things that dont work.

I know you don’t like it, but PF/OPNsense configured with L2TP VPN would be your best bet. It will be quite complicated administrative side, but it makes it as painless as possible for the end-user connecting to it.

So the nutshell explanation would be too:

  • set up a second VLAN via Interfaces.
  • configure second VLAN via the DHCP Service
  • Set the traffic routing via firewall rules
  • Enable L2TP server
  • Configure L2TP to use the second VLAN
  • Point it to a controlled DNS.
  • As for total client ISOLATION from each other, I don’t see that setting anywhere, I am poking around my PFSense box. That may likely have to be done via the firewall rules.
1 Like

yes, i agree that would be the best bet, but for the argument of wether or not i’ll spend time learning how some enterprise stuff works… if the OFFICIAL guide for how to set up a VPN on PF/OPNsense doesnt work, i’m rather disinclined to put in much extra effort.

as for client isolation, PPTPD on linux does that by default, because it relies on the firewall to forward traffic between clients.