One of lifes great time-savers is Arno's IPTables Firewall Script. If you've never tried it before you can find it here:

http://rocky.eld.leidenuniv.nl/

Most of the setup for the script is fairly obvious and it generally gets the job done without any hassle. Just take the time to read the notes in the README and the firewall.conf files and you will find everything working smoothly.

But, then, when you try to install OpenVPN, things get a little more complicated. So, mostly as notes to myself, here's what I add to firewall.conf to finish the job:

1. By default the main internal subnet will be passed to the NAT_INTERNAL_NET parameter - which doesn't work well with OpenVPN. If you ping an external IP from a VPN client you don't get a reply. Dumping traffic on the EXT_IF shows that the client ICMP packets are not NAT'd - so the reply from the external host can't come back.

   The simple solution to this problem is to list all the subnets that might need to NAT through the EXT_IF like this:

   NAT="1"
   NAT_INTERNAL_NET="192.168.1.0/24 192.168.2.0/24"

   This allows the VPN clients to NAT out through the EXT_IF and get a reply.

2. Make sure you list all trusted internal devices in the TRUSTED_IF parameter, including the same device specified in INT_IF and especially the VPN tunnel devices, like this:

   TRUSTED_IF="eth0 tun+"

3. OpenVPN can use either TCP or UDP. It can also be configured to use any available port numbers. Therefore you need to check your OpenVPN configuration to find out what you need to open-up in the firewall settings. To do this: make sure you add the port numbers that you need to the OPEN_TCP and OPEN_UDP parameters.