order: iptables@boot after establishing tunnel

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
pallago
OpenVpn Newbie
Posts: 2
Joined: Fri Jun 02, 2017 5:46 pm

order: iptables@boot after establishing tunnel

Post by pallago » Tue Dec 26, 2017 10:27 pm

Dear all,
during the last days I set up a site-2-site OpenVPN network with 3 locations (A,B,C).
The configuration is the following:
Server A (tun0) - Client B (tun0)
Server A (tun1) - Client C (tun0)
Server B (tun1) - Client C (tun1)

Site C does not have any OpenVPN server, it has just 2 OpenVPN clients. In addition, I have some clients which can connect to A or B, e.g. mobile phone, notebook…. Everything is working quite fine.

I configured my firewall using fwbuilder (tun+ does not work). This also works quite nice and I can access all servers, PCs etc. from all locations (also from the clients). The firewall configuration scripts (let us assume to call them firewall_A.fw, firewall_B.fw and firewall_C.fw) contain all the NAT tables and allowed traffic configurations.
These scripts should be executed automatically when the servers is booted. However, I found quite a number of tutorials but I am not really happy since it does not work as it should: The firewall scripts contain the tunnels tun0 and tun1. When the servers boot, OpenVPN starts and the firewall configures the interfaces. But the tunnels are not (all) up when the firewall script is executed and thus the configuration of iptables fails.

For Server A it is no problem since there are 2 servers running (for Site B and site C) and the tun0, tun1 adapters are immediately up.
For Server B it is a problem since it is a client for Server A (the firewall script is executed before the connection is established and thus the tun adapter exists)
For Client C it is also a problem since it is a client for Server A and Server B. (same problem as above)

I tried:
/etc/rc.local (insert the path of firewall_X.fw, X={A,B,C})
using iptables-persistent

Is there a recommended way how to configure the firewall (iptables)? I thought about virtual tun interfaces?
The very ugly solution which I want to prevent is to add a sleep in the firewall script (or rc.local).
I also thought about setting up a dedicated service which I could control when it should start.


The firewall script also contains the NAT table and access rules for the clients (at the sides behind the servers) which connect to the internet. Thus, if the execution of the firewall script fails, the clients do not have internet access. This is a quite crucial point.

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: order: iptables@boot after establishing tunnel

Post by Pippin » Wed Dec 27, 2017 4:03 pm

Start the script after OpenVPN?
Or maybe better, --client-connect/disconnect, --up, --down and "Script Order of Execution" in manual:
https://community.openvpn.net/openvpn/w ... n24ManPage

Post Reply