Configuring Firewall Rules for VPN

The last part of this lab we look at configuring the firewall rules for our VPN setup. We set up routers for PPTP, SSTP, and L2TP/IPSec.

We are going to start with our default firewall rules. This setup allows us to start with a basic, albeit secure setup for our firewall. Apply the default firewall script to both routers in each scenario. What should occur is that we should no longer be able to connect from client to server, because what we have done is effectively closed the ports responsible for establishing communication between the two routers.

After applying the default firewall configuration rules, you should notice that your VPN traffic is still being sent thru. Why?

Well, if you look at the default firewall rule list, you will notice the following line.

filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"

The main purpose of this rule is to ensure that established connections and related traffic can flow freely to the router. This is essential for maintaining active connections and allowing users to communicate with external servers without interruption.

When you set up a VPN, it typically creates an established connection once the VPN handshake and authentication processes are completed successfully. Here’s how it works: