OpenVPN with iptables and a tun interface

Solution 1:

Plaintext traffic will go in and out of the tunX devices; you may find the -i tun+ and -o tun+ options to iptables, which match any tun interface, useful in handling that.

Encrypted traffic will be UDP/TCP on port 1194, or otherwise, as you have specified, on your ethernet interface. When filtering traffic into the server, don't forget to allow the OpenVPN encrypted packets.

And as for chains, encrypted traffic coming in is considered to terminate on the openvpn server, so that's the INPUT chain; encrypted traffic leaving is considered to have originated on the server, so that's the OUTPUT chain. Traffic passing between your internal network and the tunX interfaces is the responsibility of the FORWARD chain.

Solution 2:

For traffic coming through the tunnel, you just need to set up FORWARD rules to allow the traffic from the tun interface to the eth interface. Such as the following rule allows access from tun0 to RDP for the specific range.

-A FORWARD -i tun0 -p tcp --dport 3389 -d 192.168.0.0/24 -j ACCEPT

After the forward rules, if you have an established/related rule on the eth interface, it will allow the traffic back through.