How to disable iptables modification by Access Server

OpenVPN Access Server uses iptables on the host as part of its sophisticated NAT-ing and routing of VPN-related traffic. Access Server adds rules to the "filter", "nat" and "mangle" tables of iptables. Some of these iptables changes are made when openvpnas starts up; others occur when configuration changes are made to the Access Server. There are additional iptables changes that relate to per-user IP addresses and routes in Access Server.

The AS v1.2.0 release also includes the ability to disable particular types of iptables modifications, if the corresponding Access Server functionality is not used (and iptables rule modification is undesirable).
There are three related settings, identified by these config keys:

iptables.vpn.disable.filter
iptables.vpn.disable.nat
iptables.vpn.disable.mangle

For each setting you can use a CLI command to modify the Boolean value. Go to the
/usr/local/openvpn_as/scripts
directory and run

./confdba --mod --key=key_name --value=boolean_value --prof=profile_name

where

  • key_name is one of the three config keys listed above (e.g., "iptables.vpn.disable.nat")
  • boolean_value is either "True" or "False"
  • profile_name is the name of the configuration profile (e.g., "Default")

For instance, to disable the Access Server's modification of the iptables NAT table:

./confdba --mod --key=iptables.vpn.disable.nat --value=True --prof=Default

You can use "./confdba --show" to view the config and see the current values for each key. These four config keys are True by default (and treated as True if not defined).

Warning:
Disabling the iptables modification should only be done if you understand the iptables rules that are added by Access Server (by examining output of iptables and/or iptables-save) and you add your own iptables rules that are equivalent to those automatically added by Access Server. Otherwise, disabling these modifications will most likely render Access Server inoperable.