View previous topic :: View next topic |
Author |
Message |
lo-jay l33t
Joined: 27 Feb 2005 Posts: 862
|
Posted: Sat Jan 04, 2014 10:14 pm Post subject: openvpn & iptables prob... |
|
|
can rarely build up a vpn-connection lately.
am behind a tomato router with upnp enabled, so i doubt that that's the problem.
my iptables look like this:
Code: |
!/bin/bash
# vars
IPT=/sbin/iptables
# Flush old rules, old custom tables
echo " * flushing old rules"
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
echo " * setting default policies"
$IPT -P INPUT DROP
#$IPT -A FORWARD -o tun0 -j ACCEPT
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Allow established and related packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Open the following ports
echo " * allowing ssh on port 22"
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
echo " * allowing dns on port 53"
$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT
echo " * allowing http on port 80"
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
echo " * allowing https on port 443"
$IPT -A INPUT -p udp --dport 443 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 443 -m state --state NEW -j ACCEPT
echo " * allowing udp on port 1194"
$IPT -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
echo " * allowing udp on port 10010"
$IPT -A INPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT
echo " * allowing udp on port 10020"
$IPT -A INPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT
#echo " * allowing tun"
#$IPT -A INPUT -i tun+ -j ACCEPT
#$IPT -A OUTPUT -o tun+ -j ACCEPT
#$IPT -A FORWARD -i tun+ -j ACCEPT
echo " * allowing ping responses"
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
# DROP everything else and Log it
$IPT -A INPUT -j LOG
$IPT -A INPUT -j DROP
#
# Save settings
#
echo " * saving settings"
/etc/init.d/iptables save
|
a typical eror would look like this:
Code: | openvpn openvpn.conf
Sat Jan 4 23:02:22 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Oct 21 2013
Enter Auth Username:xxx
Enter Auth Password:
Sat Jan 4 23:02:31 2014 UDPv4 link local: [undef]
Sat Jan 4 23:02:31 2014 UDPv4 link remote: [AF_INET]xxx:10020
Sat Jan 4 23:02:31 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jan 4 23:02:40 2014 [server] Peer Connection Initiated with [AF_INET]xxx:10020
Sat Jan 4 23:02:42 2014 TUN/TAP device tun0 opened
SIOCADDRT: Network is unreachable
Sat Jan 4 23:02:42 2014 ERROR: Linux route add command failed: external program exited with error status: 7
SIOCADDRT: Network is unreachable
Sat Jan 4 23:02:42 2014 ERROR: Linux route add command failed: external program exited with error status: 7
Sat Jan 4 23:02:42 2014 Initialization Sequence Completed
^CSat Jan 4 23:08:09 2014 event_wait : Interrupted system call (code=4)
SIOCDELRT: No such process
Sat Jan 4 23:08:09 2014 ERROR: Linux route delete command failed: external program exited with error status: 7
SIOCDELRT: No such process
Sat Jan 4 23:08:09 2014 ERROR: Linux route delete command failed: external program exited with error status: 7
Sat Jan 4 23:08:09 2014 SIGINT[hard,] received, process exiting
|
where should i look?
Cheers! _________________ lo-jay
The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"
taken from "Two Lane Blacktop" |
|
Back to top |
|
|
AngelKnight Tux's lil' helper
Joined: 14 Jan 2003 Posts: 127
|
Posted: Sat Jan 11, 2014 2:47 pm Post subject: |
|
|
We could use a look at your openvpn config to figure out what (if anything) you're doing to pin the local-side UDP socket to a specific port.
(By the way, https is typically a TCP protocol but your script opens it for udp/443, which might not be what you want.) |
|
Back to top |
|
|
lo-jay l33t
Joined: 27 Feb 2005 Posts: 862
|
Posted: Sat Jan 11, 2014 2:55 pm Post subject: |
|
|
here you go:
Code: | float
client
dev tun
proto udp
nobind
#redirect-gateway def1
; CERT
ca /etc/openvpn/keys/ca.crt
ns-cert-type server
cipher BF-CBC
; HOST
remote-random
remote xxx 10010
remote xxx 10020
remote xxx 1194
resolv-retry infinite
; AUTH
auth-user-pass
persist-key
persist-tun
comp-lzo
verb 1
|
cheers! _________________ lo-jay
The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"
taken from "Two Lane Blacktop" |
|
Back to top |
|
|
|