适用于OpenVPN的UFW

我想为OpenVPN配置ufw（不复杂的防火墙）。

仅允许通过OpenVPN进行连接。其他所有内容都应被阻止。因此，如果OpenVPN断开连接->没有互联网！我在网上找到了这个脚本，我想知道它是否足够好。还是我必须添加更多规则？

#!/bin/bash
###########################################
#          Created by Thomas Butz         #
#   E-Mail: btom1990(at)googlemail.com    #
#  Feel free to copy & share this script  #
###########################################

# Adapt this value to your config!
VPN_DST_PORT=3478

# Don't change anything beyond this point
###########################################

# Check for root priviliges
if [[ $EUID -ne 0 ]]; then
   printf "Please run as root:\nsudo %s\n" "${0}"
   exit 1
fi


# Reset the ufw config
ufw --force reset

# let all incoming traffic pass
ufw default allow incoming
# and block outgoing by default
ufw default deny outgoing

# Every communiction via VPN is considered to be safe
ufw allow out on tun0

# Don't block the creation of the VPN tunnel
ufw allow out $VPN_DST_PORT
# Don't block DNS queries
ufw allow out 53

# Allow local IPv4 connections
ufw allow out to 10.0.0.0/8
ufw allow out to 172.16.0.0/12
ufw allow out to 192.168.0.0/16
# Allow IPv4 local multicasts
ufw allow out to 224.0.0.0/24
ufw allow out to 239.0.0.0/8

# Allow local IPv6 connections
ufw allow out to fe80::/64
# Allow IPv6 link-local multicasts
ufw allow out to ff01::/16
# Allow IPv6 site-local multicasts
ufw allow out to ff02::/16
ufw allow out to ff05::/16

# Enable the firewall
ufw enable

资料来源：http : //pastebin.com/AUHh6KnV

配置可能更具限制性

ufw --force reset

ufw default deny incoming # Use the VPN tunnel for all traffic
ufw default deny outgoing

ufw allow out on tun0
ufw allow in on tun0

ufw allow out $port/$protocol # e.g. 1234/udp, depending on your OpenVPN client config

# Prefer resolved hosts to connect to your VPN, enable only if your VPN provider doesn't give you that option
#ufw allow out 53

# Allow local IPv4 connections, enable as needed, set specific IPs or tighter subnet masks if possible
#ufw allow out to 10.0.0.0/8
#ufw allow out to 172.16.0.0/12
#ufw allow out to 192.168.0.0/16
# Allow IPv4 local multicasts
#ufw allow out to 224.0.0.0/24
#ufw allow out to 239.0.0.0/8
# Allow local IPv6 connections
#ufw allow out to fe80::/64
# Allow IPv6 link-local multicasts
#ufw allow out to ff01::/16
# Allow IPv6 site-local multicasts
#ufw allow out to ff02::/16
#ufw allow out to ff05::/16

# Enable the firewall
ufw enable

强烈建议您不要使用以下两个命令：

ufw allow incoming
ufw default allow in on tun0

不允许这样做有防火墙的目的。您需要“允许进入tun0”来接收返回数据包是不正确的。您只希望接收所需的连接，而不是让整个世界都与您连接。允许这样做。在下面测试建议的配置，然后查看。

这是与防火墙一起使用的一系列UFW命令的示例：

sudo ufw enable
sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0
sudo ufw allow out on eth0 to any port 53,1197 proto udp
sudo ufw allow out on wlan0 to any port 53,1197 proto udp
sudo ufw status verbose

结果示例：

Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW OUT   Anywhere on tun0          
53,1197/udp                ALLOW OUT   Anywhere on eth0
53,1197/udp                ALLOW OUT   Anywhere on wlan0
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on tun0
53,1197/udp (v6)           ALLOW OUT   Anywhere (v6) on eth0
53,1197/udp (v6)           ALLOW OUT   Anywhere (v6) on wlan0

注意：-您的接口可能不同，例如ubuntu 16.12使用eno1和wlp3s0b1。使用命令“ ifconfig”查看您的实际接口。-1197 UDP是相当默认的，但是您可能需要为您的VPN更改它（例如443 TCP）。-我通常删除ipv6（sudo ufw delete 4，重复x3）

它的作用：-它允许通过VPN隧道的出站连接，同时阻止除VPN隧道和以太网/ wifi上的DNS连接以外的所有内容。以下是有关DNS问题的警告。

警告：此示例允许53发出DNS请求，以便openvpn（例如vpn.somevpnprovider.com）可以请求IP地址并建立连接。需要权衡的是DNS泄漏的可能性。使用dnsleaktest.com确保您的VPN设置通过隧道传送DNS请求。对于谨慎/偏执，请跳过53，然后关闭防火墙以进行连接，然后在连接后重新打开。出于我的VPN原因，我选择不这样做，因为我很可能会完全忘记防火墙（例如，如果openvpn配置错误，DNS仍然会泄漏）。