Openvpn, Mullvad and iptables problem with connection
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Openvpn, Mullvad and iptables problem with connection
Hi, This is my first time posing here but I have been browsing for a while and at times I have been a little intimidated by the amount of knowledge. I have been using Slackware seriously for a month or so, after migrating from debian and have had no problems that a little bit of research and a lot of 'lets try that again' hasn't been able to solve so i would welcome any suggestions and patience that could be offered. Thank you.
I have a subscription to Mullvad vpn and over this week have been trying to get it working on slackware. Previously I had used the app on debian with no problem. Initially i tried to butcher the nordvpn slackbuild I found and I got the mullvad app working but it didn't connect... obviously i put this down to my incompetence so I tried another avenue and used networkmanager-openvpn. There was plenty of documentation on the mullvad site and although it seemed to connect I was unable to browse. Again, I tried another method from slackware documentation, using openvpn directly with:
but again couldn't browse. I pinged google and got:
Quote:
$ ping www.google.com (216.58.210.36) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
Just playing around I decided to stop iptables to see what happened. When I pinged again it worked and I could browse. The iptable rules I am using are from alienbob's modification of Easy Firewall Generator for IPTables.
$ iptables -S
Code:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N bad_packets
-N bad_tcp_packets
-N icmp_packets
-N tcp_inbound
-N tcp_outbound
-N udp_inbound
-N udp_outbound
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wlan0 -p tcp -j tcp_inbound
-A INPUT -i wlan0 -p udp -j udp_inbound
-A INPUT -i wlan0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o wlan0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A bad_packets -m conntrack --ctstate INVALID -j LOG --log-prefix "Invalid packet: "
-A bad_packets -m conntrack --ctstate INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
Something is obviously happening with the iptable rules blocking me with the vpn but my knoweldge of iptables starts and stops at knowing that there is such a thing as iptables. I appreciate I need to learn iptables myself but I am hoping someone could suggest something to get started.
Once again any patience would be hugely appreciated. Thank you... fyv3r.
A quick Google search indicates that Mullvad uses either OpenVPN or WireGuard. Both will create a Layer 3 interface through which all VPN traffic is routed.
Your firewall script contains references to two interfaces: loopback (lo) and wlan0. Outbound traffic going through any other interface will hit the DROP policy of the OUTPUT chain.
Find the name of the VPN interface by running ifconfig or ip link list before and after connecting to Mullvad. Then edit the firewall script to include the relevant interface.
And yes, I strongly recommend you get acquainted with iptables, as it's an incredibly powerful firewall tool.
Just to simplify a little bit the good advice Ser Olmy provided, once you figured out the name of the VPN interface (should be tun0), edit the firewall you got generated and duplicate all the wlan0 lines with the new interface, keeping the actual order.
Start with - example:
AlienBob's firewall is a "careful" one, a little complicated, creating custom chains, handling some things it shouldn't bother.
If you're looking for a simpler one, "careless" and dropping all the unneeded traffic, allowing just what's relevant, then you could use/start with this one: https://www.linuxquestions.org/quest...ml#post6044000
P.S.
In any case, make sure you bring up the VPN before you launch the firewall, otherwise the VPN interface is not yet defined and the firewall rules won't apply.
An alternative would be to create a dummy VPN interface in /etc/rc.d/rc.inet2, just before launching rc.firewall, with the exact name as the one created by the VPN (again, should be tun0).
Example:
Code:
/usr/sbin/openvpn --mktun --dev tun0
Last edited by abga; 05-26-2020 at 12:30 AM.
Reason: P.S.
I'm sorry I hadn't replied before. Thank you both for your help. @abga Thank you for the link, I have been playing around with it and managed to get everything working
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.