Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Problem with OpenVPN
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Problem with OpenVPN

Hello,
I've using now my own VPN on a VPS, but i have a problem with the setup. Everything works fine, but after i'm connected to the VPN i cant access my server anymore with it's public. Only with the internal IP, like 10.8.0.1. I think it's some sort of NAT issue? Used google since three hours, but i can't find the solution. Can anyone help? :)

Comments

  • Have you forwarded traffic using iptables?

  • drivexdrivex Member
    edited December 2016

    I used this script: https://github.com/Angristan/OpenVPN-install and activated UFW (forwarding changed to ACCEPT instead of DROP)

    Following iptable rules are present:

    -P INPUT DROP

    -P FORWARD ACCEPT

    -P OUTPUT ACCEPT
    -N f2b-sshd

    -N f2b-sshd-ddos

    -N ufw-after-forward

    -N ufw-after-input

    -N ufw-after-logging-forward

    -N ufw-after-logging-input

    -N ufw-after-logging-output

    -N ufw-after-output

    -N ufw-before-forward

    -N ufw-before-input

    -N ufw-before-logging-forward

    -N ufw-before-logging-input

    -N ufw-before-logging-output

    -N ufw-before-output

    -N ufw-logging-allow

    -N ufw-logging-deny

    -N ufw-not-local

    -N ufw-reject-forward

    -N ufw-reject-input

    -N ufw-reject-output

    -N ufw-skip-to-policy-forward

    -N ufw-skip-to-policy-input

    -N ufw-skip-to-policy-output

    -N ufw-track-forward

    -N ufw-track-input

    -N ufw-track-output

    -N ufw-user-forward

    -N ufw-user-input

    -N ufw-user-limit

    -N ufw-user-limit-accept

    -N ufw-user-logging-forward

    -N ufw-user-logging-input

    -N ufw-user-logging-output

    -N ufw-user-output

    -A INPUT -p udp -m udp --dport 1194 -j ACCEPT

    -A INPUT -p udp -m udp --dport 1194 -j ACCEPT

    -A INPUT -p tcp -m multiport --dports 51684 -j f2b-sshd-ddos

    -A INPUT -p tcp -m multiport --dports 51684 -j f2b-sshd

    -A INPUT -j ufw-before-logging-input

    -A INPUT -j ufw-before-input

    -A INPUT -j ufw-after-input

    -A INPUT -j ufw-after-logging-input

    -A INPUT -j ufw-reject-input

    -A INPUT -j ufw-track-input

    -A FORWARD -s 10.8.0.0/24 -j ACCEPT

    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    -A FORWARD -s 10.8.0.0/24 -j ACCEPT

    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    -A FORWARD -j ufw-before-logging-forward

    -A FORWARD -j ufw-before-forward

    -A FORWARD -j ufw-after-forward

    -A FORWARD -j ufw-after-logging-forward

    -A FORWARD -j ufw-reject-forward

    -A FORWARD -j ufw-track-forward

    -A OUTPUT -j ufw-before-logging-output

    -A OUTPUT -j ufw-before-output

    -A OUTPUT -j ufw-after-output

    -A OUTPUT -j ufw-after-logging-output

    -A OUTPUT -j ufw-reject-output

    -A OUTPUT -j ufw-track-output

    -A f2b-sshd -j RETURN

    -A f2b-sshd-ddos -j RETURN

    -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input

    -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input

    -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input

    -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input

    -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input

    -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input

    -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

    -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT

    -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT

    -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT

    -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT

    -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT

    -A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT

    -A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT

    -A ufw-before-forward -i tun+ -j ACCEPT

    -A ufw-before-forward -i tap+ -j ACCEPT

    -A ufw-before-forward -j ufw-user-forward

    -A ufw-before-input -i lo -j ACCEPT

    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny

    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP

    -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT

    -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT

    -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT

    -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT

    -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT

    -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT

    -A ufw-before-input -j ufw-not-local

    -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT

    -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT

    -A ufw-before-input -j ufw-user-input

    -A ufw-before-output -o lo -j ACCEPT

    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    -A ufw-before-output -j ufw-user-output

    -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "

    -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN

    -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny

    -A ufw-not-local -j DROP

    -A ufw-skip-to-policy-forward -j ACCEPT

    -A ufw-skip-to-policy-input -j DROP

    -A ufw-skip-to-policy-output -j ACCEPT

    -A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT

    -A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT

    -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT

    -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT

    -A ufw-user-input -p tcp -m tcp --dport 51684 -j ACCEPT

    -A ufw-user-input -p udp -m udp --dport 1194 -j ACCEPT

    -A ufw-user-input -p tcp -m tcp --dport 9117 -j ACCEPT

    -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "

    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable

    -A ufw-user-limit-accept -j ACCEPT

  • i disable ufw also (didn't work either) but now the iptables are lot cleaner. So is anything missing?

    -P INPUT ACCEPT

    -P FORWARD ACCEPT

    -P OUTPUT ACCEPT

    -N f2b-sshd

    -N f2b-sshd-ddos

    -A INPUT -p udp -m udp --dport 1194 -j ACCEPT

    -A INPUT -p tcp -m multiport --dports 51684 -j f2b-sshd-ddos

    -A INPUT -p tcp -m multiport --dports 51684 -j f2b-sshd

    -A FORWARD -s 10.8.0.0/24 -j ACCEPT

    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    -A f2b-sshd -j RETURN

    -A f2b-sshd-ddos -j RETURN

  • exception0x876exception0x876 Member, Host Rep, LIR
    edited December 2016

    OpenVPN resets your default gateway, so your VPS is not able to send back the traffic through it if it is coming to its public IP. You need to add a new routing table with your default gateway and use this table for all traffic originating from your VPS public IP i.e.

    echo "1234 my_table" >> /etc/iproute2/rt_tables
    ip route add default via <WAN gateway> dev eth0 table 1234
    ip rule add from <WAN IP> table 1234
    
  • drivexdrivex Member
    edited December 2016

    @exception0x876 said:
    OpenVPN resets your default gateway, so your VPS is not able to send back the traffic through it if it is coming to its public IP. You need to add a new routing table with your default gateway and use this table for all traffic originating from your VPS public IP i.e.

    > echo "1234 my_table" >> /etc/iproute2/rt_tables
    > ip route add default via <WAN gateway> dev eth0 table 1234
    > ip rule add from <WAN IP> table 1234
    > 

    Thanks for your answer! I did this and replaced WAN GETAWAY with my wan getaway IP of my server and WAN IP with my public ip (server) and did ip route flush cache. But nothing changed. Did i anything wrong?

  • exception0x876exception0x876 Member, Host Rep, LIR

    @ServerXZ would you mind to post all your routing tables and rules. You can mask a few numbers out of IP addresses with stars.

  • drivexdrivex Member
    edited December 2016

    @exception0x876 said:
    @ServerXZ would you mind to post all your routing tables and rules. You can mask a few numbers out of IP addresses with stars.

    Sure. I hope that's all? If not, which commands must be executed? Im pretty new to iptables and routes :/

    ip route show table all

    default via 93.X.X.1 dev eth0 onlink

    10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1

    93.X.X.0/24 dev eth0 proto kernel scope link src 93.X.X.123 (external IP)

    broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1

    local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1

    broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1

    broadcast 93.X.X.0 dev eth0 table local proto kernel scope link src 93.X.143.123 (external IP)

    local 93.X.X.123 (external IP) dev eth0 table local proto kernel scope host src 93.X.143.123 (external IP)

    broadcast 93.X.X.255 dev eth0 table local proto kernel scope link src 93.X.X.123 (external IP)

    broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1

    local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1

    local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1

    broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1

    fe80::/64 dev eth0 proto kernel metric 256 pref medium

    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium

    local ::1 dev lo table local proto none metric 0 pref medium

    local fe80::6a05:caff:fe34:6044 dev lo table local proto none metric 0 pref medium

    ff00::/8 dev eth0 table local metric 256 pref medium

    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium

    In /etc/default/ufw

    DEFAULT_FORWARD_POLICY="ACCEPT"

    in /etc/ufw/before.rules

    START OPENVPN RULES

    NAT table rules
    *nat

    :POSTROUTING ACCEPT [0:0]

    Allow traffic from OpenVPN client to eth0

    -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

    COMMIT

    END OPENVPN RULES

Sign In or Register to comment.