Server cannot start

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
xmteam
OpenVpn Newbie
Posts: 9
Joined: Thu Apr 19, 2012 2:54 pm

Server cannot start

Post by xmteam » Thu Apr 19, 2012 3:02 pm

Whenever I try to start my OpenVPN server from the web interface (Access Server), I get this message: "Error: iptables service not started because of error (SVC_RUN_EXCEPT)". A quick search of the web said that this: http://www.openvpn.net/index.php/access ... ainer.html would work, but it didn't.

I am getting this on a VPS container running CentOS 5.8 x64.
Does anyone have a solution?
Top
ddog800
OpenVpn Newbie
Posts: 14
Joined: Sun Apr 15, 2012 6:01 pm

Re: Server cannot start

Post by ddog800 » Sat Apr 21, 2012 1:33 am

Log into the console as root and run

Code: Select all

# service iptables start
and see how that goes. If it starts OK, then try to start the AS server again.

Also, if you don't have iptables running already, then you will want to make sure you have a good set of rules in place. Run

Code: Select all

# cat /etc/sysconfig/iptables
to see what's configured at boot time and

Code: Select all

# iptables -L
to see what's there at the moment. and make sure you have some rules in place.
Top
xmteam
OpenVpn Newbie
Posts: 9
Joined: Thu Apr 19, 2012 2:54 pm

Re: Server cannot start

Post by xmteam » Sat Apr 21, 2012 11:51 am

Running "service iptables start" returns 4 OK's, and running "cat /etc/sysconfig/iptables" returns this:

Code: Select all

# Generated by iptables-save v1.3.5 on Thu Apr 19 13:12:12 2012
*mangle
:PREROUTING ACCEPT [3477:2633547]
:INPUT ACCEPT [3477:2633547]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3273:1676234]
:POSTROUTING ACCEPT [3273:1676234]
COMMIT
# Completed on Thu Apr 19 13:12:12 2012
# Generated by iptables-save v1.3.5 on Thu Apr 19 13:12:12 2012
*filter
:INPUT DROP [15:756]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:VZ_FORWARD - [0:0]
:VZ_INPUT - [0:0]
:VZ_OUTPUT - [0:0]
-A INPUT -j VZ_INPUT
-A FORWARD -j VZ_FORWARD
-A OUTPUT -j VZ_OUTPUT
-A VZ_INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 53 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 32768:65535 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 8880 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A VZ_INPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
-A VZ_INPUT -s 127.0.0.1 -d 127.0.0.1 -p udp -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 943 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A VZ_OUTPUT -p udp -m udp --sport 53 -j ACCEPT
-A VZ_OUTPUT -p tcp -j ACCEPT
-A VZ_OUTPUT -p udp -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 8880 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 8443 -j ACCEPT
-A VZ_OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
-A VZ_OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p udp -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 943 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 1194 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 1194 -j ACCEPT
COMMIT
# Completed on Thu Apr 19 13:12:12 2012
# Generated by iptables-save v1.3.5 on Thu Apr 19 13:12:12 2012
*nat
:PREROUTING ACCEPT [155:7782]
:POSTROUTING ACCEPT [152:10639]
:OUTPUT ACCEPT [152:10639]
COMMIT
# Completed on Thu Apr 19 13:12:12 2012
Running "iptables -L" returns this:

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination
VZ_INPUT   all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
VZ_FORWARD  all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
VZ_OUTPUT  all  --  anywhere             anywhere

Chain VZ_FORWARD (1 references)
target     prot opt source               destination

Chain VZ_INPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:filenet-tms:65535
ACCEPT     udp  --  anywhere             anywhere            udp dpts:filenet-tms:65535
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:cddbp-alt
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pcsync-https
ACCEPT     tcp  --  localhost.localdomain  localhost.localdomain
ACCEPT     udp  --  localhost.localdomain  localhost.localdomain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:943
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:openvpn
ACCEPT     udp  --  anywhere             anywhere            udp dpt:openvpn

Chain VZ_OUTPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:domain
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:cddbp-alt
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:pcsync-https
ACCEPT     tcp  --  localhost.localdomain  localhost.localdomain
ACCEPT     udp  --  localhost.localdomain  localhost.localdomain
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:943
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:openvpn
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:openvpn
Top
ddog800
OpenVpn Newbie
Posts: 14
Joined: Sun Apr 15, 2012 6:01 pm

Re: Server cannot start

Post by ddog800 » Mon Apr 23, 2012 7:30 pm

Looks like the iptables service is running fine now. Are you now able to start the AS service as well?
Top
xmteam
OpenVpn Newbie
Posts: 9
Joined: Thu Apr 19, 2012 2:54 pm

Re: Server cannot start

Post by xmteam » Tue Apr 24, 2012 8:02 pm

I was always able to start the access server from "/etc/init.d/openvpnas start", and I can access the web admin interface, but it just gives me the "SVC_RUN_EXCEPT" to do with iptables when I try to start the server from the web admin.
Top
danblee
OpenVpn Newbie
Posts: 4
Joined: Mon Nov 15, 2010 7:27 pm

Re: Server cannot start

Post by danblee » Thu Jan 24, 2013 8:49 pm

Hey I know this is an old post, but I thought this would help. Odds are you are not only running this on a VPS, but your host is using OpenVZ, which means TUN/TAP is not enabled on the container. I made a quick post about it on my blog. Hope this helps!

http://danblee.com/iptables-service-not ... un_except/
Top
Post Reply

Return to “The OpenVPN Access Server”