LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-18-2014, 11:27 AM   #1
Pandapied
LQ Newbie
 
Registered: Dec 2013
Posts: 8

Rep: Reputation: Disabled
Exclamation OpenVPN/iptables fails


Hi

I have now for several days tried to install an openvpn server, but it fails. Below are some info.

Below is my default iptables:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

After install of OpenVPN using this guide:
http://vpsdatabase.com/knowledgebase...ayarticle&id=2

My iptables look like this:

# Generated by iptables-save v1.4.7 on Tue Feb 18 16:06:47 2014
*nat
:PREROUTING ACCEPT [37:3170]
:POSTROUTING ACCEPT [15:1075]
:OUTPUT ACCEPT [15:1075]
-A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source my-ser.ver.ip
COMMIT
# Completed on Tue Feb 18 16:06:47 2014
# Generated by iptables-save v1.4.7 on Tue Feb 18 16:06:47 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [95:14310]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
COMMIT
# Completed on Tue Feb 18 16:06:47 2014







openvpn /etc/openvpn/server.conf
Tue Feb 18 16:12:46 2014 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EP OLL] [PKCS11] [eurephia] built on Apr 5 2012
Tue Feb 18 16:12:46 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables
Tue Feb 18 16:12:46 2014 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn -auth-pam.so '[/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so] [/etc/pam.d/lo gin]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Tue Feb 18 16:12:46 2014 Diffie-Hellman initialized with 1024 bit key
Tue Feb 18 16:12:46 2014 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not -required may accept clients which do not present a certificate
Tue Feb 18 16:12:46 2014 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Feb 18 16:12:46 2014 Socket Buffers: R=[124928->131072] S=[124928->131072]
Tue Feb 18 16:12:46 2014 TCP/UDP: Socket bind failed on local address 188.138.33 .173:1194: Address already in use
Tue Feb 18 16:12:46 2014 Exiting

When trying to connect from client, i get this:

Tue Feb 18 17:13:48 2014 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Tue Feb 18 17:13:48 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Feb 18 17:13:48 2014 Need hold release from management interface, waiting...
Tue Feb 18 17:13:49 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Feb 18 17:13:49 2014 MANAGEMENT: CMD 'state on'
Tue Feb 18 17:13:49 2014 MANAGEMENT: CMD 'log all on'
Tue Feb 18 17:13:49 2014 MANAGEMENT: CMD 'hold off'
Tue Feb 18 17:13:49 2014 MANAGEMENT: CMD 'hold release'
Tue Feb 18 17:13:57 2014 MANAGEMENT: CMD 'username "Auth" "pandapied"'
Tue Feb 18 17:13:57 2014 MANAGEMENT: CMD 'password [...]'
Tue Feb 18 17:13:57 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 18 17:13:57 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Feb 18 17:13:57 2014 UDPv4 link local: [undef]
Tue Feb 18 17:13:57 2014 UDPv4 link remote: [AF_INET]188.138.33.173:1194
Tue Feb 18 17:13:57 2014 MANAGEMENT: >STATE:1392740037,WAIT,,,


server.conf:
[root@loft9105 pandapied]# cat /etc/openvpn/server.conf
local my.ser.ver.ip #- change it with your server ip address
port 1194
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3

client.conf:

[root@loft9105 pandapied]# cat /home/pandapied/pandapied.ovpn
client
dev tun
proto udp
remote my.ser.ver.ip 1194 #- your OPENVPN server ip and port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3

Bottomline: OpenVPN dosen't work.
Any suggestions are welcome because if i change the order of the lines in /etc/sysconfig/iptables, i can make the vpn work. But then ALL my ports seems to be open ????
 
Old 02-19-2014, 01:11 PM   #2
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,126
Blog Entries: 2

Rep: Reputation: 124Reputation: 124
If that is the iptables for the openvpn server you'll need to add an accept on INPUT for udp 1194. Also your FORWARD section is inverted, it rejects everything coming through the FORWARD ruleset.

is currently:
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT

should be:
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
 
Old 02-19-2014, 02:10 PM   #3
Pandapied
LQ Newbie
 
Registered: Dec 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Awesome that worked and even better i got a better understanding of the iptables rules... thanks a million estabroo
 
Old 02-19-2014, 02:11 PM   #4
Pandapied
LQ Newbie
 
Registered: Dec 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Awesome that worked and even better i got a better understanding of the iptables rules... thanks a million estabroo
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Configure NetworkManager OpenVPN - Import Configuration Fails morbo77 Linux - Networking 3 09-18-2009 08:08 PM
Allow openvpn in IPTables jhmdev Linux - Networking 9 07-30-2009 03:48 PM
OPENVPN /IPTABLES help woodson2 Fedora 2 11-07-2008 08:54 AM
OPENVPN /IPTABLES help woodson2 Linux - Networking 3 11-06-2008 03:10 PM
OpenVPN script fails Echo Kilo Linux - Networking 1 01-25-2006 11:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration