Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenVPN stopped passing data...
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1606
Location: Fayetteville, NC, USA

PostPosted: Wed Jan 15, 2025 7:17 pm    Post subject: OpenVPN stopped passing data... Reply with quote

I have an OLD (2009) client running OpenVPN on a Linux server that has been solid for ages. Suddenly, this changed. OpenVPN connects, but we cannot access LAN resources. I BELIEVE it is due to an update that reset the firewall rules. I found an old firewall script I wrote, but it does not work. I can only reach the server itself.

LAN: 192.168.111.0/24
OpenVPN: 192.168.110.0/24
Server: 192.168.111.201
PCs: 192.168.111.101-15

Firewall Script:
Code:

#!/bin/bash

# Clear out everything
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -t security -F
iptables -t security -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Always allow lo unless you want to murder Linux
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Setup the input table
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A INPUT -i enp3s0 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -i enp3s0 -p udp --dport openvpn -j ACCEPT
iptables -A INPUT -i enp3s0 -p udp --dport bootps:bootpc -j ACCEPT
iptables -A INPUT -i enp3s0 -p udp --dport domain -j ACCEPT
iptables -A INPUT -i enp3s0 -p tcp --dport microsoft-ds -j ACCEPT
iptables -A INPUT -i enp3s0 -p tcp --dport netbios-ssn -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT

# Setup the output table
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p udp --dport domain -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p udp --dport bootps:bootpc -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p tcp --dport http -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p udp --dport ntp -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p tcp --dport microsoft-ds -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p tcp --dport netbios-ssn -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p tcp --dport rsync -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8/0 -j ACCEPT

# Setup the forward table
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.110.0/24 -i tun0 -o enps3s0 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 8/0 -j ACCEPT

# Setup the postrouting table
iptables -t nat -A POSTROUTING -s 192.168.110.0/24 -o enp3s0 -j MASQUERADE

# Setup logging
# iptables -A INPUT -j LOG --log-prefix "!!! IN "
# iptables -A OUTPUT -j LOG --log-prefix "!!! OUT "
# iptables -A FORWARD -j LOG --log-prefix "!!! FWD "

Does anybody have any ideas here?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23059

PostPosted: Wed Jan 15, 2025 7:37 pm    Post subject: Reply with quote

Is IPv4 forwarding enabled? Can you give an example of a specific connection that doesn't work?

Why is this done as a shell script with no error checking? Gentoo has the ability to save iptables rules and play them back on boot.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1606
Location: Fayetteville, NC, USA

PostPosted: Wed Jan 15, 2025 7:52 pm    Post subject: Reply with quote

This is an OLD system, but I just checked and net.ipv4.ip_forward is indeed set to 1. I wrote this script a decade ago. It is not run any more and instead iptables are saved and loaded as you said. The script got me this far.
Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
ACCEPT     udp  --  anywhere             anywhere             udp dpts:bootps:bootpc
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ACCEPT     icmp --  anywhere             anywhere             icmptype 8 code 0

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.110.0/24     anywhere           
ACCEPT     icmp --  anywhere             anywhere             icmptype 8 code 0

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpts:bootps:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:rsync
ACCEPT     icmp --  anywhere             anywhere             icmptype 8 code 0

[sv01 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  192.168.110.0/24     anywhere

Hope that helps.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1606
Location: Fayetteville, NC, USA

PostPosted: Thu Jan 16, 2025 1:15 pm    Post subject: Reply with quote

I have a temporary solution. I have narrowed it down to my iptables rules. When I clear out all rules and only do the one line that masquerades, everything works. Something in my rules is not allowing SMB or RDP data (and probably more) to not go from the tunnel to the LAN. Not sure what, but it does indeed work with just the one line.

Are there any iptables gurus around that can explain to me why my rules break the VPN?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23059

PostPosted: Thu Jan 16, 2025 2:26 pm    Post subject: Reply with quote

You allowed three specific types of traffic to be forwarded, and drop everything else. If leaving the forwarding chain open makes this work, we can assume that none of those three specific rules applies to the traffic you want forwarded. Therefore:
  • Your traffic is not part of an existing connection. It needs to have created a connection before it can be part of one, and creation is failing.
  • Your traffic is not sourced from the allowed subnet.
  • Your traffic is not ICMP type 8.
You probably meant for that middle rule to work, or you previously had additional rules that are now entirely missing. Check that the traffic has the correct source address, comes in the correct network device, and would (if it were allowed) go out the correct Ethernet device.

Further, we can infer that since the MASQUERADE rule has two of those checks (source address, destination device) and is matching, that the problem must be the input network device, since the FORWARD chain should match that (but does not) and the MASQUERADE rule does not check that (and works).
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5348
Location: Bavaria

PostPosted: Thu Jan 16, 2025 3:05 pm    Post subject: Reply with quote

Maybe only the permission of UDP 137 and UDP 138 (netbios-ns + netbios-dgm) is missing?
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1606
Location: Fayetteville, NC, USA

PostPosted: Thu Jan 16, 2025 4:01 pm    Post subject: Reply with quote

I'm going to need to brush up then. Been years since I messed with iptables. The server only has one NIC (enp3s0) which is used for everything instead of the setup with a WAN NIC and a LAN NIC. Need to think it through. Thank you both for your help. It's good to see that you're still here. I disappeared for a few years but I still have Gentoo on my laptops.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23059

PostPosted: Thu Jan 16, 2025 4:18 pm    Post subject: Reply with quote

You have one NIC, but at least one virtual interface: tun0, the virtual device that represents the traffic coming off the VPN.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5348
Location: Bavaria

PostPosted: Thu Jan 16, 2025 5:04 pm    Post subject: Reply with quote

You have already prepared something very useful in your script:
Code:
# Setup logging
# iptables -A INPUT -j LOG --log-prefix “!!! IN ”
# iptables -A OUTPUT -j LOG --log-prefix “!!!! OUT ”
# iptables -A FORWARD -j LOG --log-prefix “!!!! FWD ”

Activate it and check in your system log what is being dropped.

I do the same with a small addition so that my log is not loaded with these harmless packets that every router sends (before I log everything - like you):
Code:
iptables -A INPUT -p 2 -j DROP # stuff from router

_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum