I've got a curious OpenVPN / UFW issue on Ubuntu 20.04.
I have a rule set to allow outgoing traffic over tun0: ufw insert 1 allow out on tun0 from any to any. The UFW defaults are set to deny, both in & out: ufw default deny outgoing & ufw default deny incoming.
I'm only able to route traffic through tun0 with UFW running, if I go through the following strange dance each and every time I want to connect to the VPN:
ufw disable (disable UFW, as you'd expect, to allow VPN to connect to server)- Connect to VPN (connection successfully establishes)
ufw enable (re-enable UFW) - So far, as expected - now I'd expect traffic to be sent out via tun0 without any issues ... but no. I now have to do the following...- Add a rule to allow all outgoing connections through any interface:
ufw insert 1 allow out from any to any
- Establish a connection anywhere - e.g.
ping 1.1.1.1. This is the vital step - without which subsequent connections through tun0 fail
- Delete the rule I just added that allows all outgoing connections through any interface (since that is clearly not what we want - the intention is to limit connections to tun0 as per the existing rule):
ufw delete 1
Now, I am able to establish connections through the VPN tunnel, as expected. However without steps 4 & 5, all connections are blocked by UFW; I am unable to connect through tun0 - even though there is an explict UFW rule set to allow it.
Here is my UFW user.rules file (I have an SSH rule too):
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
### tuple ### allow any 22 0.0.0.0/0 any 192.168.0.0/16 in
-A ufw-user-input -p tcp --dport 22 -s 192.168.0.0/16 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 192.168.0.0/16 -j ACCEPT
### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 out_tun0
-A ufw-user-output -o tun0 -j ACCEPT
### tuple ### deny any any 0.0.0.0/0 any 0.0.0.0/0 out
-A ufw-user-output -j DROP
### tuple ### deny any any 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -j DROP
### END RULES ###
### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-output -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT
Any ideas why this bizarre behaviour is occurring?
