LinuxQuestions.org - [SOLVED] OpenVPN/iptables fails

Hi

I have now for several days tried to install an openvpn server, but it fails. Below are some info.

Below is my default iptables:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

After install of OpenVPN using this guide:
http://vpsdatabase.com/knowledgebase...ayarticle&id=2

My iptables look like this:

# Generated by iptables-save v1.4.7 on Tue Feb 18 16:06:47 2014
*nat
:PREROUTING ACCEPT [37:3170]
:POSTROUTING ACCEPT [15:1075]
:OUTPUT ACCEPT [15:1075]
-A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source my-ser.ver.ip
COMMIT
# Completed on Tue Feb 18 16:06:47 2014
# Generated by iptables-save v1.4.7 on Tue Feb 18 16:06:47 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [95:14310]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
COMMIT
# Completed on Tue Feb 18 16:06:47 2014

openvpn /etc/openvpn/server.conf
Tue Feb 18 16:12:46 2014 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EP OLL] [PKCS11] [eurephia] built on Apr 5 2012
Tue Feb 18 16:12:46 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables
Tue Feb 18 16:12:46 2014 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn -auth-pam.so '[/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so] [/etc/pam.d/lo gin]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Tue Feb 18 16:12:46 2014 Diffie-Hellman initialized with 1024 bit key
Tue Feb 18 16:12:46 2014 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not -required may accept clients which do not present a certificate
Tue Feb 18 16:12:46 2014 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Feb 18 16:12:46 2014 Socket Buffers: R=[124928->131072] S=[124928->131072]
Tue Feb 18 16:12:46 2014 TCP/UDP: Socket bind failed on local address 188.138.33 .173:1194: Address already in use
Tue Feb 18 16:12:46 2014 Exiting

When trying to connect from client, i get this:

Tue Feb 18 17:13:48 2014 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Tue Feb 18 17:13:48 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Feb 18 17:13:48 2014 Need hold release from management interface, waiting...
Tue Feb 18 17:13:49 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Feb 18 17:13:49 2014 MANAGEMENT: CMD 'state on'
Tue Feb 18 17:13:49 2014 MANAGEMENT: CMD 'log all on'
Tue Feb 18 17:13:49 2014 MANAGEMENT: CMD 'hold off'
Tue Feb 18 17:13:49 2014 MANAGEMENT: CMD 'hold release'
Tue Feb 18 17:13:57 2014 MANAGEMENT: CMD 'username "Auth" "pandapied"'
Tue Feb 18 17:13:57 2014 MANAGEMENT: CMD 'password [...]'
Tue Feb 18 17:13:57 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 18 17:13:57 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Feb 18 17:13:57 2014 UDPv4 link local: [undef]
Tue Feb 18 17:13:57 2014 UDPv4 link remote: [AF_INET]188.138.33.173:1194
Tue Feb 18 17:13:57 2014 MANAGEMENT: >STATE:1392740037,WAIT,,,

server.conf:
[root@loft9105 pandapied]# cat /etc/openvpn/server.conf
local my.ser.ver.ip #- change it with your server ip address
port 1194
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3

client.conf:

[root@loft9105 pandapied]# cat /home/pandapied/pandapied.ovpn
client
dev tun
proto udp
remote my.ser.ver.ip 1194 #- your OPENVPN server ip and port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3

Bottomline: OpenVPN dosen't work.
Any suggestions are welcome because if i change the order of the lines in /etc/sysconfig/iptables, i can make the vpn work. But then ALL my ports seems to be open ????