OpenVPN stopped passing data...

The_Great_Sephiroth · Posted: Wed Jan 15, 2025 7:17 pm Post subject: OpenVPN stopped passing data...

I have an OLD (2009) client running OpenVPN on a Linux server that has been solid for ages. Suddenly, this changed. OpenVPN connects, but we cannot access LAN resources. I BELIEVE it is due to an update that reset the firewall rules. I found an old firewall script I wrote, but it does not work. I can only reach the server itself.

LAN: 192.168.111.0/24
OpenVPN: 192.168.110.0/24
Server: 192.168.111.201
PCs: 192.168.111.101-15

Firewall Script:

Hu · Administrator Joined: 06 Mar 2007 Posts: 23012

Is IPv4 forwarding enabled? Can you give an example of a specific connection that doesn't work?

Why is this done as a shell script with no error checking? Gentoo has the ability to save iptables rules and play them back on boot.

The_Great_Sephiroth · Posted: Wed Jan 15, 2025 7:52 pm Post subject:

This is an OLD system, but I just checked and net.ipv4.ip_forward is indeed set to 1. I wrote this script a decade ago. It is not run any more and instead iptables are saved and loaded as you said. The script got me this far.

The_Great_Sephiroth · Posted: Thu Jan 16, 2025 1:15 pm Post subject:

I have a temporary solution. I have narrowed it down to my iptables rules. When I clear out all rules and only do the one line that masquerades, everything works. Something in my rules is not allowing SMB or RDP data (and probably more) to not go from the tunnel to the LAN. Not sure what, but it does indeed work with just the one line.

Are there any iptables gurus around that can explain to me why my rules break the VPN?
_________________
Ever picture systemd as what runs "The Borg"?

Hu · Administrator Joined: 06 Mar 2007 Posts: 23012

You allowed three specific types of traffic to be forwarded, and drop everything else. If leaving the forwarding chain open makes this work, we can assume that none of those three specific rules applies to the traffic you want forwarded. Therefore:

Your traffic is not part of an existing connection. It needs to have created a connection before it can be part of one, and creation is failing.
Your traffic is not sourced from the allowed subnet.
Your traffic is not ICMP type 8.

You probably meant for that middle rule to work, or you previously had additional rules that are now entirely missing. Check that the traffic has the correct source address, comes in the correct network device, and would (if it were allowed) go out the correct Ethernet device.

Further, we can infer that since the MASQUERADE rule has two of those checks (source address, destination device) and is matching, that the problem must be the input network device, since the FORWARD chain should match that (but does not) and the MASQUERADE rule does not check that (and works).

pietinger · Posted: Thu Jan 16, 2025 3:05 pm Post subject:

Maybe only the permission of UDP 137 and UDP 138 (netbios-ns + netbios-dgm) is missing?
_________________
https://wiki.gentoo.org/wiki/User:Pietinger

The_Great_Sephiroth · Posted: Thu Jan 16, 2025 4:01 pm Post subject:

I'm going to need to brush up then. Been years since I messed with iptables. The server only has one NIC (enp3s0) which is used for everything instead of the setup with a WAN NIC and a LAN NIC. Need to think it through. Thank you both for your help. It's good to see that you're still here. I disappeared for a few years but I still have Gentoo on my laptops.
_________________
Ever picture systemd as what runs "The Borg"?

Hu · Administrator Joined: 06 Mar 2007 Posts: 23012

You have one NIC, but at least one virtual interface: tun0, the virtual device that represents the traffic coming off the VPN.

pietinger · Posted: Thu Jan 16, 2025 5:04 pm Post subject:

You have already prepared something very useful in your script: