Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

openvpn & iptables prob...
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862
PostPosted: Sat Jan 04, 2014 10:14 pm    Post subject: openvpn & iptables prob... Reply with quote
can rarely build up a vpn-connection lately.
am behind a tomato router with upnp enabled, so i doubt that that's the problem.
my iptables look like this:

Code:


!/bin/bash

# vars
IPT=/sbin/iptables

# Flush old rules, old custom tables
echo " * flushing old rules"
$IPT --flush
$IPT --delete-chain

# Set default policies for all three default chains
echo " * setting default policies"
$IPT -P INPUT DROP

#$IPT -A FORWARD -o tun0 -j ACCEPT

$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established and related packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open the following ports
echo " * allowing ssh on port 22"
$IPT -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT

echo " * allowing dns on port 53"
$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing http on port 80"
$IPT -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"
$IPT -A INPUT -p udp --dport 443 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 443 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 1194"
$IPT -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT


echo " * allowing udp on port 10010"
$IPT -A INPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 10020"
$IPT -A INPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT

#echo " * allowing tun"
#$IPT -A INPUT -i tun+ -j ACCEPT
#$IPT -A OUTPUT -o tun+ -j ACCEPT
#$IPT -A FORWARD -i tun+ -j ACCEPT

echo " * allowing ping responses"
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it
$IPT -A INPUT -j LOG
$IPT -A INPUT -j DROP

#
# Save settings
#
echo " * saving settings"
/etc/init.d/iptables save



a typical eror would look like this:

Code:
openvpn openvpn.conf
Sat Jan  4 23:02:22 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Oct 21 2013
Enter Auth Username:xxx
Enter Auth Password:
Sat Jan  4 23:02:31 2014 UDPv4 link local: [undef]
Sat Jan  4 23:02:31 2014 UDPv4 link remote: [AF_INET]xxx:10020
Sat Jan  4 23:02:31 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jan  4 23:02:40 2014 [server] Peer Connection Initiated with [AF_INET]xxx:10020
Sat Jan  4 23:02:42 2014 TUN/TAP device tun0 opened
SIOCADDRT: Network is unreachable
Sat Jan  4 23:02:42 2014 ERROR: Linux route add command failed: external program exited with error status: 7
SIOCADDRT: Network is unreachable
Sat Jan  4 23:02:42 2014 ERROR: Linux route add command failed: external program exited with error status: 7
Sat Jan  4 23:02:42 2014 Initialization Sequence Completed
^CSat Jan  4 23:08:09 2014 event_wait : Interrupted system call (code=4)
SIOCDELRT: No such process
Sat Jan  4 23:08:09 2014 ERROR: Linux route delete command failed: external program exited with error status: 7
SIOCDELRT: No such process
Sat Jan  4 23:08:09 2014 ERROR: Linux route delete command failed: external program exited with error status: 7
Sat Jan  4 23:08:09 2014 SIGINT[hard,] received, process exiting


where should i look?

Cheers!
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
AngelKnight
Tux's lil' helper
Tux's lil' helper


Joined: 14 Jan 2003
Posts: 127
PostPosted: Sat Jan 11, 2014 2:47 pm    Post subject: Reply with quote
We could use a look at your openvpn config to figure out what (if anything) you're doing to pin the local-side UDP socket to a specific port.

(By the way, https is typically a TCP protocol but your script opens it for udp/443, which might not be what you want.)
Back to top
View user's profile Send private message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862
PostPosted: Sat Jan 11, 2014 2:55 pm    Post subject: Reply with quote
here you go:

Code:
float
client
dev tun
proto udp
nobind
#redirect-gateway def1
; CERT
ca /etc/openvpn/keys/ca.crt
ns-cert-type server
cipher BF-CBC

; HOST
remote-random
remote xxx 10010
remote xxx 10020
remote xxx 1194

resolv-retry infinite

; AUTH
auth-user-pass
persist-key
persist-tun

comp-lzo
verb 1



cheers!
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy