Persist SSH firewall rules running OpenVPN

Question

I have a server (Ubuntu 20.04) that I can SSH into normally. I set up OpenVPN on this server and that works fine...

Except when I start OpenVPN I loose the ability to SSH into the server.

I found this answer regarding setting firewall rules which solves that issue to some extent:

I put those rules in a script then do: sudo ./set-ssh-rules.sh && sudo service openvpn start and that works as expected.

Problem is, this is a manual step since the rules seem to go away after I reboot and I have to do the whole dance again.

How do I get these rules either persist? Or in the more realistic case that the OpenVPN service is "enabled", have the rules set at boot but before the init system (systemd?) starts the OpenVPN service.

I'm sure the answer to this is scattered around the internet but I couldn't peice it together - sorry.

Many thanks in advance.

score 2 · Accepted Answer · answered Nov 28 '20 at 18:15

The easiest I've found is to create a service like so:

# Documentation available at:
# https://www.freedesktop.org/software/systemd/man/systemd.service.html

[Unit]
Description=Setup Firewall on each reboot
Before=network.target

[Service]
Type=oneshot
WorkingDirectory=~
RemainAfterExit=yes
ExecStart=/usr/sbin/set-ssh-rules.sh
User=root
Group=root

[Install]
WantedBy=multi-user.target

# vim: syntax=dosini

Your script must be placed in a location which you can refer with a full path as shown above.

To install the file, you can copy it here:

/lib/systemd/system/my-firewall.service

When you manually add a new file, you need to nudge the system to wake it up with the following:

systemctl daemon-reload

The systemd commands will also tell you to run that command if you edit your .service file(s) so it can update itself as required before attempting to run other commands. This is done automatically when you install/uninstall a package, but not when you do this manually.

Then you can enable it and it will kick in on each reboot.

systemctl enable my-firewall

To see whether it worked, check the status:

systemctl status my-firewall

Also you can start/stop manually to verify that the script runs as expected:

systemctl start my-firewall
systemctl stop my-firewall

Since I don't have a script to stop my firewall, nothing happens in the stop, but if already running the start won't do anything... so you need to stop in order to do a start. (you can also use restart)

Thanks - this is more than I hoped for, works perfectly! – James C Nov 28 '20 at 19:19 — James C, Nov 28 '20 at 19:19

Persist SSH firewall rules running OpenVPN

1 Answers1