How to use iptables to allow traffic only through ONE SPECIFIC VPN

Question

I'm trying to allow all traffic from my Banana PI running Lubuntu to only go to my LAN or otherwise through an VPN Server. I'm following this guide: http://joelslowik.blogspot.co.uk/2013/05/setup-iptables-for-vpn-and-local.html

Essentially it says I should use these rules:

#Allow loopback device (internal communication)
iptables -A INPUT -i lo -j 
iptables -A OUTPUT -o lo -j ACCEPT
#Allow all local traffic.
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
#Allow VPN establishment
iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p udp --sport 1194 -j ACCEPT
#Accept all TUN connections (tun = VPN tunnel)
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
#Set default policies to drop all communication unless specifically allowed
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

But as far as I understand it, that will allow traffic through ANY VPN (or anything with a network interface starting with "tun" for that matter).

I tried to use

iptables -A INPUT -s XXX.XXX.XXX.XXX -j ACCEPT
iptables -A OUTPUT -d XXX.XXX.XXX.XXX -j ACCEPT

with the IP Address of the VPN Server, but that doesn't seem to work either, it simply won't connect to the VPN.

So how should I do this? I did the exact same thing on Windows using the Windows Firewall (following this guide), just blocking any IP Address except the local ones and the one of the VPN Server and it works perfectly.

Answer 1

Since it appears like you are using OpenVPN, one thing you could easily do is to give your VPN tun device an explicit name instead of using tunN.

It is perfectly valid to put something like. dev tun_home in your OpenVPN configuration. This will result in the tunnel device being named tun_home. You can then use this in your firewall rules instead of using a wildcard device name match tun+.

Answer 2

I suppose here that you want all non local traffic to go through the VPN (internet access for example). If this is true, I think it would be easier and better to use the routing table to do what you want instead of the firewall. You could define your default route to use the VPN instead of the current default.

route add default dev tun0

or something similar and remove the current default route.

On the other hand, if what you want is really to block anything that is not local or coming from the VPN then you are in the right direction using iptables.