Skip to main content

How does openvpn client get data on the wire if physicall interface is blocked by firewall? [Resolved]

Reading about Tun/Tap from kernel documentation it is clear that this interface is not backed by hardware. If I setup iptables firewall to deny in/out traffic on all interfaces except tun0, how does OpenVPN client actually get the data on the wire?

When the kernel decides its time to put data on the wire, for tun0 interface it sends the data to a userspace program (openvpn client). I assume that this program must prepare the data for tunneling then open a socket and actually send data out using a non-virtual interface like eth0. But this is supposed to be blocked by firewall. Yet it works.

Does OpenVPN client somehow bypass the firewall mechanism (iptables)?

Question Credit: user10607
Question Reference
Asked June 12, 2019
Posted Under: Network
1 Answers

iptables blocks all traffic including openvpn, client cannot establish tunnel unless it's on the whitelist. However, it requires only openvpn port to be opened to bypass any kind of traffic/ports, once the tunnel is established. As all packets will be encapsulated in openvpn package regardless of the underlying traffic.

credit: Moe Kurmot
Answered June 12, 2019
Your Answer