OpenVPN not able to connect to public IP interface
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Some careful observation when attempting to connect to the server should help you identify the issue. You may also want to ensure little/no other services are running to minimise other kinds of traffic hitting/leaving the server.
Some careful observation when attempting to connect to the server should help you identify the issue. You may also want to ensure little/no other services are running to minimise other kinds of traffic hitting/leaving the server.
will I be able to save the results or will this be happening in real time?
On a semi-related note, how can I simplify my rules? Basically my setup is just a CentOS 7 box with 2 NICs (edge firewall) running squid and firewalld. Nothing special about it.
will I be able to save the results or will this be happening in real time?
You can use the approach described in the link to save two (or more) captures and then use 'diff' to show the difference between the files.
Quote:
On a semi-related note, how can I simplify my rules? Basically my setup is just a CentOS 7 box with 2 NICs (edge firewall) running squid and firewalld. Nothing special about it.
I did hint at a minimal iptables config (refer post #14 link) which just shows what is needed to allow OpenVPN (single interface config), but I'm sure you could tweak that as necessary for your situation. Once you have a working iptables config, it's not hard to config firewalld based on the required iptables rules.
You can use the approach described in the link to save two (or more) captures and then use 'diff' to show the difference between the files.
I did hint at a minimal iptables config (refer post #14 link) which just shows what is needed to allow OpenVPN (single interface config), but I'm sure you could tweak that as necessary for your situation. Once you have a working iptables config, it's not hard to config firewalld based on the required iptables rules.
Read the link again and yes, I did see it. I'll have to scrounge up another CPU and ask my ISP for another public IP address to test on. I can establish the VPN link inside the LAN but hitting the public IP is a whole different ballgame. I'll be back...
Hi all, I know it's been awhile. Took our ISP more than a month to migrate our account to a corporate account which allowed more than one public IP address.
New settings as follows. I have migrated the firewall to iptables.
From the iptables output, the packets are hitting the interface and are being allowed to enter. But somehow something is getting messed up upon authentication..
result of iptables -nvL (includes the nat table):
Chain INPUT (policy ACCEPT 1228 packets, 226K bytes)
pkts bytes target prot opt in out source destination
2259 145K ACCEPT tcp -- * * 192.168.20.0/24 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED /* Allow ssh */
0 0 ACCEPT icmp -- * * 192.168.20.0/24 0.0.0.0/0 icmptype 8 /* Allow pings from the inside */
0 0 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT tcp -- * * 192.168.20.0/24 0.0.0.0/0 tcp dpt:3128 state NEW,ESTABLISHED /* Allow Squid */
4 200 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* Allow everything from loopback */
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 /* Trust the tunnel interfaces */
68 3856 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 /* Allow openvpn traffic */
199 23276 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Drop pings from the outside */
351 62722 DROP all -- enp4s0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
6 405 ACCEPT all -- * enp4s0 0.0.0.0/0 0.0.0.0/0 state NEW
12 1286 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 80 packets, 4128 bytes)
pkts bytes target prot opt in out source destination
1598 322K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
0 0 ACCEPT icmp -- * enp4s0 0.0.0.0/0 0.0.0.0/0 icmptype 8
51 3665 ACCEPT all -- * enp4s0 0.0.0.0/0 0.0.0.0/0 state NEW
12 1570 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
Chain PREROUTING (policy ACCEPT 1564 packets, 333K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 578 packets, 138K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 42 packets, 2810 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 12 packets, 636 bytes)
pkts bytes target prot opt in out source destination
36 2579 MASQUERADE all -- * enp4s0 0.0.0.0/0 0.0.0.0/0
server.conf file:
port 1194
float
proto udp
dev tun
ca server/keys/ca.crt
cert server/keys/server.crt
key server/keys/server.key
dh server/keys/dh4096.pem
topology subnet
server 10.9.0.0 255.255.255.0
push "route 192.168.20.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
ifconfig-pool-persist ipp.txt
verb 4
explicit-exit-notify 1
client.conf:
client
dev tun
proto udp
remote ... 1194
float
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca client/ca.crt
cert ...
key ...
cipher AES-256-CBC
comp-lzo
verb 4
openvpn.log snippet:
Wed Nov 11 12:55:35 2020 us=354766 210.4.125.138:38147 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Wed Nov 11 12:55:35 2020 us=354802 210.4.125.138:38147 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Wed Nov 11 12:55:35 2020 us=354883 210.4.125.138:38147 TLS: Initial packet from [AF_INET]210.4.125.138:38147, sid=697de220 8ce4f40e
Wed Nov 11 12:55:35 2020 us=355031 210.4.125.138:38147 TLS Error: reading acknowledgement record from packet
Wed Nov 11 12:55:37 2020 us=671070 210.4.125.138:38147 TLS Error: reading acknowledgement record from packet
Wed Nov 11 12:55:41 2020 us=144338 210.4.125.138:38147 TLS Error: reading acknowledgement record from packet
Wed Nov 11 12:55:49 2020 us=148177 210.4.125.138:38147 TLS Error: reading acknowledgement record from packet
Wed Nov 11 12:56:05 2020 us=922602 210.4.125.138:38147 TLS Error: reading acknowledgement record from packet
Wed Nov 11 12:56:34 2020 us=641114 MULTI: multi_create_instance called
Wed Nov 11 12:56:34 2020 us=641301 192.168.20.151:59344 Re-using SSL/TLS context
Wed Nov 11 12:56:34 2020 us=641366 192.168.20.151:59344 LZO compression initializing
Wed Nov 11 12:56:34 2020 us=641483 192.168.20.151:59344 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Nov 11 12:56:34 2020 us=641528 192.168.20.151:59344 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Wed Nov 11 12:56:34 2020 us=641608 192.168.20.151:59344 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Wed Nov 11 12:56:34 2020 us=641645 192.168.20.151:59344 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Wed Nov 11 12:56:34 2020 us=641755 192.168.20.151:59344 TLS: Initial packet from [AF_INET]192.168.20.151:59344, sid=77be5316 73e82d0a
Wed Nov 11 12:56:35 2020 us=867464 210.4.125.138:38147 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Nov 11 12:56:35 2020 us=867536 210.4.125.138:38147 TLS Error: TLS handshake failed
Wed Nov 11 12:56:35 2020 us=867652 210.4.125.138:38147 SIGUSR1[soft,tls-error] received, client-instance restarting
the key is indeed present but I don't reference it in the server and client config files (i.e. it's physically there but not part of the config files). Does it matter -- i.e. if I'm not using it for simplicity of the config should I just delete it?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.