OpenVPN/iptables fails
Hi
I have now for several days tried to install an openvpn server, but it fails. Below are some info. Below is my default iptables: # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT After install of OpenVPN using this guide: http://vpsdatabase.com/knowledgebase...ayarticle&id=2 My iptables look like this: # Generated by iptables-save v1.4.7 on Tue Feb 18 16:06:47 2014 *nat :PREROUTING ACCEPT [37:3170] :POSTROUTING ACCEPT [15:1075] :OUTPUT ACCEPT [15:1075] -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source my-ser.ver.ip COMMIT # Completed on Tue Feb 18 16:06:47 2014 # Generated by iptables-save v1.4.7 on Tue Feb 18 16:06:47 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [95:14310] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.8.0.0/24 -j ACCEPT COMMIT # Completed on Tue Feb 18 16:06:47 2014 openvpn /etc/openvpn/server.conf Tue Feb 18 16:12:46 2014 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EP OLL] [PKCS11] [eurephia] built on Apr 5 2012 Tue Feb 18 16:12:46 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables Tue Feb 18 16:12:46 2014 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn -auth-pam.so '[/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so] [/etc/pam.d/lo gin]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY Tue Feb 18 16:12:46 2014 Diffie-Hellman initialized with 1024 bit key Tue Feb 18 16:12:46 2014 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not -required may accept clients which do not present a certificate Tue Feb 18 16:12:46 2014 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] Tue Feb 18 16:12:46 2014 Socket Buffers: R=[124928->131072] S=[124928->131072] Tue Feb 18 16:12:46 2014 TCP/UDP: Socket bind failed on local address 188.138.33 .173:1194: Address already in use Tue Feb 18 16:12:46 2014 Exiting When trying to connect from client, i get this: Tue Feb 18 17:13:48 2014 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013 Tue Feb 18 17:13:48 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Tue Feb 18 17:13:48 2014 Need hold release from management interface, waiting... Tue Feb 18 17:13:49 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Tue Feb 18 17:13:49 2014 MANAGEMENT: CMD 'state on' Tue Feb 18 17:13:49 2014 MANAGEMENT: CMD 'log all on' Tue Feb 18 17:13:49 2014 MANAGEMENT: CMD 'hold off' Tue Feb 18 17:13:49 2014 MANAGEMENT: CMD 'hold release' Tue Feb 18 17:13:57 2014 MANAGEMENT: CMD 'username "Auth" "pandapied"' Tue Feb 18 17:13:57 2014 MANAGEMENT: CMD 'password [...]' Tue Feb 18 17:13:57 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Tue Feb 18 17:13:57 2014 Socket Buffers: R=[65536->65536] S=[65536->65536] Tue Feb 18 17:13:57 2014 UDPv4 link local: [undef] Tue Feb 18 17:13:57 2014 UDPv4 link remote: [AF_INET]188.138.33.173:1194 Tue Feb 18 17:13:57 2014 MANAGEMENT: >STATE:1392740037,WAIT,,, server.conf: [root@loft9105 pandapied]# cat /etc/openvpn/server.conf local my.ser.ver.ip #- change it with your server ip address port 1194 proto udp dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status server-tcp.log verb 3 client.conf: [root@loft9105 pandapied]# cat /home/pandapied/pandapied.ovpn client dev tun proto udp remote my.ser.ver.ip 1194 #- your OPENVPN server ip and port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo verb 3 Bottomline: OpenVPN dosen't work. Any suggestions are welcome because if i change the order of the lines in /etc/sysconfig/iptables, i can make the vpn work. But then ALL my ports seems to be open ???? |
If that is the iptables for the openvpn server you'll need to add an accept on INPUT for udp 1194. Also your FORWARD section is inverted, it rejects everything coming through the FORWARD ruleset.
is currently: -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.8.0.0/24 -j ACCEPT should be: -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.8.0.0/24 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited |
Awesome that worked and even better i got a better understanding of the iptables rules... thanks a million estabroo
|
Awesome that worked and even better i got a better understanding of the iptables rules... thanks a million estabroo
|
All times are GMT -5. The time now is 12:48 PM. |