Can't view any web pages from client

[Braxen]

I guess this has to do with iptables, but when i try to enter some from guides i just get kicked from ssh and i have to go to the server and plug in a monitor etc.

Server config:

Code: Select all

mode server
tls-server
local 85.11.28.249
port 1194
proto udp
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-key
persist-tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
cipher BF-CBC        # Blowfish (default)
comp-lzo
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110
push "dhcp-option DNS 85.11.1.11"
push "redirect-gateway def1"
max-clients 10 ## set this to the max number of clients that should be connected at a time
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

I followed some guide on the Ubuntu FAQ. Running Ubuntu 10.10.

The thing is, we don't have a firewall, neither do we have a router, we're wired directly to a modem and we can choose our own IP's, and i understand nothing of the guides since nobody has it like us.

I'm pretty new to *nix so this is kind of a big mess for me.
I don't think it's the client config that's the problem, and it's such a hassle to get it here so nope.

[Mimiko]

but when i try to enter some from guides i just get kicked from ssh

Enter some - what?
You are disconneted when OpenVPN is started?

Show all your iptables list. Even you don't use firewall, its still there.

[Braxen]

When i enter some iptables commands it kicks me. I think it's a filter, yes?

Also it's 100% empty right now.

[Mimiko]

If you are trying to see iptables and you a disconneted, its not a OpenVPN issue. Resolve prvileges issues yourself first.

[Braxen]

Wait, what? If you mean sudo by privilegies or something i've got it.

I have never used iptables before, i don't even know how they work.
You check them by "iptables -L" right?

[Mimiko]

It's not only running as root, but resolve the disconnetion problem when trying to view iptables with: iptables -L.
If you never used iptables - try learn it first. You will need to know how to use iptables when runnign OpenVPN.

[Braxen]

Yeah well but i want it now, are there any generators for them?

I guess that when i try to execute someone else's iptable config it blocks port 22 and other stuff so it kinda dies.

[Bebop]

Better than a generator is a script that you can modify to do whatever you like.

Scripting and Customizations » Routing and Firewall Scripts » IPTABLES secure Internet tunnel

Best of luck to solve your problem.

[Braxen]

Better than a generator is a script that you can modify to do whatever you like.

Scripting and Customizations » Routing and Firewall Scripts » IPTABLES secure Internet tunnel

Best of luck to solve your problem.

That was the one i tried, and then the server box's internet broke and i had to go there and reset it.

[Braxen]

So i tried it once more, and ofcourse it disabled all internet access to the box. Eh this doesn't work.

[defsdoor]

If you are adding firewall rules remotely I find a cron job to flush all your rules every so often just in case helps a lot.

[Braxen]

If you are adding firewall rules remotely I find a cron job to flush all your rules every so often just in case helps a lot.

I just don't get this with iptables, does ubuntu come with some hidden firewall installed or something?
Also i have never done cronjobs before, i only know what they are.

[Mimiko]

Just show resulting of "itables -L" and "iptables -t nat -L". And show what rules you are adding.

[Braxen]

Just show resulting of "itables -L" and "iptables -t nat -L". And show what rules you are adding.

Code: Select all

braxen@hyperbrax:/etc/openvpn$ sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp dpt:openvpn
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:ACK/ACK
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain dpts:1024:65535
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     udp  --  anywhere             anywhere            udp dpts:33434:33523

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  10.0.0.0/24          anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
braxen@hyperbrax:/etc/openvpn$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.0.0.0/24          anywhere

From what i can understand from that file is that it blocks all port except port 22, but i need alot or ports..

[Mimiko]

I also asked you to show what rules you a willing to add and disconnects you.

[Braxen]

I also asked you to show what rules you a willing to add and disconnects you.

Oh i closed that tab.. Well yeah i copypasted the script from that post above and changed the ip from 10.8.0.0 to 10.0.0.0.

It prevents ALL traffic except ssh, and i can't reset them except for a sudo reboot.

[Mimiko]

It prevents ALL traffic except ssh, and i can't reset them except for a sudo reboot.

It's because you didn/t want to understand the script. Why you are using 10.0.0.0? In script it said that this IP mast be taken from OpenVPN config file. In your config file you use different IP pool: 192.168.1.0.

So insteed onf 10.8.0.0/24 in the script, use 192.168.1.0/24.
Be more selfstuding, please.

[krzee]

try this:

Code: Select all

iptables -I FORWARD -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT

[Braxen]

It prevents ALL traffic except ssh, and i can't reset them except for a sudo reboot.

It's because you didn/t want to understand the script. Why you are using 10.0.0.0? In script it said that this IP mast be taken from OpenVPN config file. In your config file you use different IP pool: 192.168.1.0.

So insteed onf 10.8.0.0/24 in the script, use 192.168.1.0/24.
Be more selfstuding, please.

Yeah but i changed the config to something else since TLS didn't work vanilla in Ubuntu.

try this:

Code: Select all

iptables -I FORWARD -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT

Only those two?

[Braxen]

Well i'm back from partying, any clues?