Aktuelle Version vom 29. Juli 2025, 12:17 Uhr

Variablen

ct state new iif $wandev udp dport $vpnport accept

ct state new iif $vpndev oif $serverdev ip saddr $vpn ip daddr $server accept

ct state new iif $vpndev oif $dmzdev ip saddr $vpn ip daddr $dmz accept

@@ Zeile 1: / Zeile 1: @@
 = Variablen =
-*WANDEV = eth0
+*wandev = enp0s3
-*LANDEV = ens19
+*serverdev = enp0s10
-*VPNDEV = tun0
+*dmzdev = enp0s9
-*OVPNPORT = 1194
+*vpndev = tun0
-*LAN = 10.82.228.0/24
+*vpnport = 1194
-*VPN = 172.31.2.0/24
+*server = 172.16.2xx.0/24
+*dmz = 10.88.2xx.0/24
+*vpn = 172.20.2xx.0/24
 {{#drawio:ipt-openvpn}}
@@ Zeile 11: / Zeile 13: @@
 = Vorausgesetztes Connection Tracking =
-; Verschlüsselter Verkehr – OpenVPN UDP
+; Verschlüsselter Verkehr – OpenVPN UDP (input Kette)
-*nft add rule inet filter input iifname "$WANDEV" udp dport $OVPNPORT ct state new accept
+ ct state new iif $wandev udp dport $vpnport accept
+; VPN → SERVER: Pakete aus dem Tunnel ins interne Netz (forward Kette)
-; VPN → LAN: Pakete aus dem Tunnel ins interne Netz
+ ct state new iif $vpndev oif $serverdev ip saddr $vpn ip daddr $server accept
-*nft add rule inet filter forward iifname "$VPNDEV" oifname "$LANDEV" ip saddr $VPN ip daddr $LAN ct state new accept
+; VPN → DMZ: Pakete aus dem Tunnel ins interne Netz (forward Kette)
+ ct state new iif $vpndev oif $dmzdev ip saddr $vpn ip daddr $dmz accept