How to setup SuSEfirewall2 to masquerade openvpn traffic to the open internet?

I’ve currently followed this guide to setup a openvpn server at my parents but I also want to be able to connect to the open internet while I’m using public hotspots but I cannot find enough documentation to be able to without disabling SuSEfirewall2. If I use this command "“SFW2-FWDext-DROP-DEFLT” in forward_ext seems to block all the traffic and I cannot figure out how to get around it. If anyone could post how to I’d be extremely grateful, thanks.

It would probably to see all of your iptables configuration with the
firewall on, as well as to better-understand your networking setup on the
client and server sides. I presume you are using openSUSE on both ends,
but I do not know that for sure. Run the following commands to get some
helpful data for us from both the client and server systems (labeled
appropriately):


sudo /usr/sbin/iptables -nvL
sudo /usr/sbin/iptables-save
ip a
ip r

If nothing else the first two should let us see all of your running
firewall rules, and that may help us see, combined with the latter two,
where a mismatch may exist, particularly if you can share some of the
messages from /var/log/firewall where you see the dropped packets.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

You’re not describing a SUSE firewall configuration, you’re describing an openvpn configuration.

What you’re describing is highly discouraged because it can result in compromising not just your own machine but everyone else/ everything in the supposedly secure openvpn network you’re connected to.

But, if you want to do what you described anyway,
Do a search on “split tunnel openvpn” to see what would be required.

TSU

What would you recommend for an encrypted tunnel which is secure for both the machine and the user? Or something like dockering/sandboxing OpenVPN?

This isn’t a technical issue.
It’s just a simple security issue for <anything> to be trusted to connect to a secure network while also simultaneously be connected to an untrusted (and in the case of the Internet a highly dangerous network) at the same time. Everything depends on your machine being uncompromised because if you are, then as a trusted member of the secure network if you are compromised in some way then nothing may prevent your being a highway for some intrusion.

So, this then becomes a human educational issue, or at the very least letting your VPN admins know so that they can take extra security measures in your case.

However serious this can be, as I described it’s possible to configure a “split tunnel” to do what you want.

And, this applies to any VPN, not just openvpn.
You should just disconnect from one network before connecting to the other.
As for using some kind of isolation (like docker) or virtualization (like Virtualbox), it’s certainly possible but then again security will depend on how you enable communications between your isolated/virtualized instance and your HostOS.

TSU

Another option which does not compromise security,
Is to configure your VPN client to access the Internet through the private network’s Internet Gateway.

So, traffic is not directly between the VPN client and the Internet, instead

VPN client <> Secure Network <> Internet

For various reasons the VPN client will notice significant latency when accessing the Internet, but this configuration should be as safe as any other client in the secure network accessing the Internet.

TSU

That will depend on the corporate environment’s VPN setup of course. Some may not provide access to an internet gateway.

One left-field possibility is to set up a VM guest using bridged networking, with the host connected to direct internet and VPN active in guest (or vice versa). I do this sometimes so that I can access internet and some network monitoring tools on our network.

Yes,
The OP posed the idea of running a VM to access “the other” network.
But, although that bypasses the VPN restriction, it can still cause a real time data exfil dump among other things if the HostOS is sufficiently compromised.

So, the question becomes as is often the case… Sure it might be possible to bypass security measures, but then it’s your decision to do so and if it results in disastrous consequences will probably have to take responsibility.

BTW - It should also be noted that VPNs set up on Windows will enable split tunnelling by default… But, should Windows be the ideal for how things are set up, particularly around security?

TSU

Yep. It is equivalent to two separate hosts operating on a LAN where someone may be connected to a VPN (say for remote network management purposes). Good security needs to be implemented at the VPN server-end to mitigate risks.