Hi all, I’m trying to have my rpi5 running raspberry OS communicate with the Internet only through the tun0 interface (vpn). For this I wanted to create a ufw ruleset. Unfortunately, I’ve hit a roadblock and I can’t figure out where I’m going wrong.
Can you help me discover why this ruleset doesn’t allow Internet communication over tun0? When I disable ufw I can access the Internet.
The VPN connection is already established, so it should keep working, right?
I hope you can help me out!
This is the script with the ruleset: sudo ufw reset
Set default policies
sudo ufw default deny incoming
sudo ufw default deny outgoing
Allow SSH access
sudo ufw allow ssh
Allow local network traffic
sudo ufw allow from 192.168.0.0/16
sudo ufw allow out to 192.168.0.0/16
Allow traffic through VPN tunnel
sudo ufw allow in on tun0
sudo ufw allow out on tun0
Add routing between interfaces (I read its necessary, not sure why?)
sudo ufw route allow in on tun0 out on wlan0
sudo ufw route allow in on wlan0 out on tun0
sudo ufw enable
I’m guessing this would block the VPN packets themselves as well.
It does, but later I have the rules to counteract those, for the VPN specifically: sudo ufw allow in on tun0 sudo ufw allow out on tun0
So that would open that up again, or am I wrong?
That allows sending packets inside the VPN tunnel, but the outer envelope packets still need to be able to reach the VPN server.
I see, but then how would I disable everything else? Should I not use the default rules?
Add an allow rule for the VPN traffic on wlan0 to your VPN server.
Hmm, but wouldn’t that allow applications to communicate on wlan0 without using the vpn?
Thanks for your help and excuse my ignorance.
Only if they were a VPN app talking to the VPN server.