I'm trying to install OpenVPN on Ubuntu 16.04. I'm using PIA and followed this tutorial minus the last section that modifies the IP tables. It's up and running.
I'd now like to have a script run at the end of the OpenVPN startup routine that modifies the IP tables to bypass VPN for certain ports. I've written the script using this tutorial and confirm that it works by running it manually after a reboot. Here's my script:
Code: Select all
# ---ENABLING KERNEL OPTIONS
sudo sysctl -w net.ipv4.conf.ens3.rp_filter=0
sudo sysctl -w net.ipv4.conf.tun0.rp_filter=0
sudo sysctl -w net.ipv4.conf.all.rp_filter=0
sudo sysctl -w net.ipv4.conf.default.rp_filter=0
sudo sysctl -w net.ipv4.conf.lo.rp_filter=0
sudo sysctl -w net.ipv4.conf.all.forwarding=1
sudo sysctl -w net.ipv4.conf.default.forwarding=1
sudo sysctl -w net.ipv4.conf.ens3.forwarding=1
sudo sysctl -w net.ipv4.conf.lo.forwarding=1
sudo sysctl -w net.ipv4.conf.tun0.forwarding=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo sysctl -w net.ipv6.conf.default.forwarding=1
sudo sysctl -w net.ipv6.conf.ens3.forwarding=1
sudo sysctl -w net.ipv6.conf.lo.forwarding=1
sudo sysctl -w net.ipv6.conf.tun0.forwarding=1
sudo sysctl -w net.ipv4.tcp_fwmark_accept=1
# ---CLEAR ALL FIREWALL RULES
iptables -F
iptables -t mangle -F
iptables -t nat -F
# ---FLSUH EXISTING TABLE 101 + cache
ip route flush table 101
ip route flush cache
#--- DEL IF EXISTS AND ADD RULE
ip rule del fwmark 2 table 101
ip rule add fwmark 2 table 101
#--- CREATE TABLE 101
ip route add table 101 default via 192.168.0.1 dev ens3
ip route add table 101 192.168.0.0/24 dev ens3 proto kernel scope link src 192.168.0.144
#--- PORT FORWARD TO TABLE 101
# SETTING MASQUERADE FOR OUTPUT
iptables --table nat --append POSTROUTING -o ens3 -j MASQUERADE
# VPN BYPASS!
# SSH THIS ONE IS THE MOST IMPORTANT
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2
# PLEX
iptables -t mangle -A OUTPUT -p tcp --dport 32400 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --dport 32400 -j MARK --set-mark 2
# HTTP S
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 2
# FTP
iptables -t mangle -A PREROUTING -p tcp --dport 21 -j MARK --set-mark 2
# YOU NEED TO SET UP MIN/MAX PORT IN VSFTPD
iptables -t mangle -A PREROUTING -p tcp --dport 13000:13100 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp --sport 21 -j MARK --set-mark 2
#DELUGE LOCAL only from LOCAL NETWORK IPs
iptables -t mangle -A PREROUTING -p tcp --dport 58846 -s 192.168.0.0/24 -j MARK --set-mark 2
# DELUGE WEB GUI
iptables -t mangle -A PREROUTING -p tcp --dport 8112 -j MARK --set-mark 2
Code: Select all
# This is the configuration file for /etc/init.d/openvpn
#
# Start only these VPNs automatically via init script.
# Allowed values are "all", "none" or space separated list of
# names of the VPNs. If empty, "all" is assumed.
# The VPN name refers to the VPN configutation file name.
# i.e. "home" would be /etc/openvpn/home.conf
#
# If you're running systemd, changing this variable will
# require running "systemctl daemon-reload" followed by
# a restart of the openvpn service (if you removed entries
# you may have to stop those manually)
#
#AUTOSTART="all"
#AUTOSTART="none"
#AUTOSTART="home office"
AUTOSTART="pia-nl"
#
# WARNING: If you're running systemd the rest of the
# options in this file are ignored.
#
# Refresh interval (in seconds) of default status files
# located in /var/run/openvpn.$NAME.status
# Defaults to 10, 0 disables status file generation
#
#STATUSREFRESH=10
#STATUSREFRESH=0
# Optional arguments to openvpn's command line
OPTARGS=""
#
# If you need openvpn running after sendsigs, i.e.
# to let umountnfs work over the vpn, set OMIT_SENDSIGS
# to 1 and include umountnfs as Required-Stop: in openvpn's
# init.d script (remember to run insserv after that)
#
OMIT_SENDSIGS=0
Code: Select all
client
dev tun
proto udp
remote us-florida.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass login.conf
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ
#Start script
up /etc/openvpn/up.sh
I read here that the systemd file should be used instead of the OpenVPN config file, so I then removed the script reference from my pia-nl.conf and instead modified /lib/systemd/system/openvpn@.service to include ExecStartPost=/etc/openvpn/up.sh but have the same startup issues.
I've made sure that /etc/openvpn/up.sh is executable and so I've run out of ideas. Any help would be greatly appreciated!