openvpn & iptables prob...

[lo-jay]

can rarely build up a vpn-connection lately.
am behind a tomato router with upnp enabled, so i doubt that that's the problem.
my iptables look like this:

Code: Select all

!/bin/bash

# vars
IPT=/sbin/iptables

# Flush old rules, old custom tables
echo " * flushing old rules"
$IPT --flush
$IPT --delete-chain

# Set default policies for all three default chains
echo " * setting default policies"
$IPT -P INPUT DROP

#$IPT -A FORWARD -o tun0 -j ACCEPT

$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established and related packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open the following ports
echo " * allowing ssh on port 22"
$IPT -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT

echo " * allowing dns on port 53"
$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing http on port 80"
$IPT -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"
$IPT -A INPUT -p udp --dport 443 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 443 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 1194"
$IPT -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT


echo " * allowing udp on port 10010"
$IPT -A INPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 10020"
$IPT -A INPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT

#echo " * allowing tun"
#$IPT -A INPUT -i tun+ -j ACCEPT
#$IPT -A OUTPUT -o tun+ -j ACCEPT
#$IPT -A FORWARD -i tun+ -j ACCEPT

echo " * allowing ping responses"
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it
$IPT -A INPUT -j LOG
$IPT -A INPUT -j DROP

#
# Save settings
#
echo " * saving settings"
/etc/init.d/iptables save

a typical eror would look like this:

Code: Select all

openvpn openvpn.conf
Sat Jan  4 23:02:22 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Oct 21 2013
Enter Auth Username:xxx
Enter Auth Password:
Sat Jan  4 23:02:31 2014 UDPv4 link local: [undef]
Sat Jan  4 23:02:31 2014 UDPv4 link remote: [AF_INET]xxx:10020
Sat Jan  4 23:02:31 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jan  4 23:02:40 2014 [server] Peer Connection Initiated with [AF_INET]xxx:10020
Sat Jan  4 23:02:42 2014 TUN/TAP device tun0 opened
SIOCADDRT: Network is unreachable
Sat Jan  4 23:02:42 2014 ERROR: Linux route add command failed: external program exited with error status: 7
SIOCADDRT: Network is unreachable
Sat Jan  4 23:02:42 2014 ERROR: Linux route add command failed: external program exited with error status: 7
Sat Jan  4 23:02:42 2014 Initialization Sequence Completed
^CSat Jan  4 23:08:09 2014 event_wait : Interrupted system call (code=4)
SIOCDELRT: No such process
Sat Jan  4 23:08:09 2014 ERROR: Linux route delete command failed: external program exited with error status: 7
SIOCDELRT: No such process
Sat Jan  4 23:08:09 2014 ERROR: Linux route delete command failed: external program exited with error status: 7
Sat Jan  4 23:08:09 2014 SIGINT[hard,] received, process exiting

where should i look?

Cheers!

[AngelKnight]

We could use a look at your openvpn config to figure out what (if anything) you're doing to pin the local-side UDP socket to a specific port.

(By the way, https is typically a TCP protocol but your script opens it for udp/443, which might not be what you want.)

[lo-jay]

here you go:

Code: Select all

float
client
dev tun
proto udp
nobind
#redirect-gateway def1
; CERT
ca /etc/openvpn/keys/ca.crt
ns-cert-type server
cipher BF-CBC

; HOST
remote-random
remote xxx 10010
remote xxx 10020
remote xxx 1194

resolv-retry infinite

; AUTH
auth-user-pass
persist-key
persist-tun

comp-lzo
verb 1

cheers!