OPENVPN에 TCP와 UDP를 모두 사용해 보세요.

VPN용으로 TCP 포트 1195를 열어두고 싶지만 udp dpt:openvpn 대신 tcp dpt:1195라고 표시되고 오류 메시지가 표시됩니다. 명시적인 종료 알림은 -proto udp에서만 작동합니다.

내 규칙은 다음과 같습니다.

ACCEPT tcp -- anywhere anywhere tcp dpt:1195 /* Allow VPN connection */

ACCEPT udp -- anywhere anywhere udp dpt:openvpn /* Allow VPN connection */

cat /etc/openvpn/iptables.sh

#!/bin/bash

# Flush
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

# Block All
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

# allow Localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Make sure you can communicate with any DHCP server
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
iptables -A INPUT -s 255.255.255.255 -j ACCEPT

# Make sure that you can communicate within your own network
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT

# Allow established sessions to receive traffic:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow TUN
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT

# allow VPN connection
iptables -I OUTPUT 1 -p tcp --destination-port 1195 -m comment --comment "Allow VPN connection" -j ACCEPT

# iptables -I OUTPUT 1 -p udp --destination-port 1194 -m comment --comment "Allow VPN connection" -j ACCEPT

# Block All
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

# Log all dropped packages, debug only.
iptables -N logging
iptables -A INPUT -j logging
iptables -A OUTPUT -j logging
iptables -A logging -m limit --limit 2/min -j LOG --log-prefix "IPTables general: " --log-level 7
iptables -A logging -j DROP

echo "saving"

iptables-save > /etc/iptables.rules

echo "done"

#echo 'openVPN - Rules successfully applied, we start "watch" to verify IPtables in realtime (you can cancel it as usual CTRL + c)'

#sleep 3

#watch -n 0 "sudo iptables -nvL"

iptables-L

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  255.255.255.255      anywhere            
ACCEPT     all  --  192.168.0.0/24       192.168.0.0/24      
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
logging    all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1195 /* Allow VPN connection */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn /* Allow VPN connection */
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             255.255.255.255     
ACCEPT     all  --  192.168.0.0/24       192.168.0.0/24      
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
logging    all  --  anywhere             anywhere            

Chain logging (2 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables general: "
DROP       all  --  anywhere             anywhere