me vs. openvpn with ipv4+ipv6

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
fckw
OpenVpn Newbie
Posts: 4
Joined: Fri Feb 19, 2016 7:06 pm

me vs. openvpn with ipv4+ipv6

Post by fckw » Fri Feb 19, 2016 8:44 pm

Hi all,

my goal is to setup an OpenVPN server to be used as an internet gateway for all client generated ipv4 and ipv6 traffic. The setup for the ipv4 part was no problem but now I'm struggling with ipv6. So please try to help me out...

what is working
ipv4
communication between client and server over ipv6

what is not working
The clients can't establish internet connections over ipv6. It seems like OpenVPN lacks rules/routes to handle packages from clients. Thus, it drops packages with the ipv6 source address of the clients. This can be seen in the last line of the server log. The weird thing (at least for me) is that the source address is the ipv6 address of the client's local interface and not that of the tun device.

server setup

ipv6 prefix

Code: Select all

2b0c:6001:4:b0ad::/64
interface configuration

Code: Select all

2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 96:06:e7:e5:7c:45 brd ff:ff:ff:ff:ff:ff
    inet 37.156.127.41/22 brd 37.120.191.255 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 2b0c:6001:4:b0ad::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::417d:214b:f76b:ebf0/64 scope link 
       valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 2b0c:6001:4:b0ad:ffff::1/112 scope global 
       valid_lft forever preferred_lft forever
kernel parameters:

Code: Select all

net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
server configuration

Code: Select all

port 443
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh4096.pem
server 10.8.0.0 255.255.255.0
server-ipv6 2b0c:6001:4:b0ad:ffff::/112
ifconfig-pool-persist ipp.txt
push "route-ipv6 2b0c:6001:4:b0ad:ffff::/112"
push "route-ipv6 2000::/3"
script-security 2
learn-address /etc/openvpn/scripts/ndp-proxy-setup.sh
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth SHA512
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 6
ndp-proxy-setup.sh

Code: Select all

#!/bin/bash

action="$1"
addr="$2"
pubif="ens3"

if [[ "${addr//:/}" == "$addr" ]]
then
    # not an ipv6 address
    exit
fi

logger "${action} ndp proxy ${addr} for ${pubif}"

case "$action" in
    add)
        ip -6 neigh add proxy ${addr} dev ${pubif}
        ;;
    update)
        ip -6 neigh replace proxy "$addr" dev "$pubif"
        ;;
    delete)
        ip -6 neigh del proxy ${addr} dev ${pubif}
        ;;
esac
ip6tables config

Code: Select all

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
-I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp6-port-unreachable
-A TCP -p tcp -m tcp --dport 1234 -j ACCEPT

-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A UDP -p udp -m udp --dport 443 -j ACCEPT

-A INPUT -j REJECT
COMMIT
client

ipv6 prefix (dynamic allocation by provider)

Code: Select all

2003:4c:1b2a:fa00::/56
interface configuration

Code: Select all

2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether d0:50:99:14:8c:df brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.68/24 brd 192.168.1.255 scope global enp0s25
       valid_lft forever preferred_lft forever
    inet6 2003:4c:1b2a:fa00:ae40:6f6a:c0ea:e332/64 scope global mngtmpaddr noprefixroute dynamic 
       valid_lft 6732sec preferred_lft 1332sec
    inet6 fe80::4ce6:a350:b067:c3b8/64 scope link 
       valid_lft forever preferred_lft forever
42: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 2b0c:6001:4:b0ad:ffff::1000/112 scope global 
       valid_lft forever preferred_lft forever
client configuration

Code: Select all

client
dev tun
proto udp
remote server.wtf 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth SHA512
comp-lzo
verb 6
explicit-exit-notify
server log

Code: Select all

... tls handshake ...
Peer Connection Initiated with [AF_INET]84.150.95.65:38372
MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=2b0c:6001:4:b0ad:ffff::1000
MULTI: Learn: 10.8.0.6 -> philip/84.150.95.65:38372
MULTI: primary virtual IP for philip/84.150.95.65:38372: 10.8.0.6
MULTI: Learn: 2b0c:6001:4:b0ad:ffff::1000 -> philip/84.150.95.65:38372
MULTI: primary virtual IPv6 for philip/84.150.95.65:38372: 2b0c:6001:4:b0ad:ffff::1000
UDPv4 READ [155] from [AF_INET]84.150.95.65:38372: P_CONTROL_V1 kid=0 pid=[ #16 ] [ ] pid=8 DATA len=69
PUSH: Received control message: 'PUSH_REQUEST'
send_push_reply(): safe_cap=940
SENT CONTROL [philip]: 'PUSH_REPLY,ifconfig-ipv6 2b0c:6001:4:b0ad:ffff::1000/112 2b0c:6001:4:b0ad:ffff::1,route-ipv6 2b0c:6001:4:b0ad:ffff::/112,route-ipv6 2000::/3,redirect-gateway def1,dhcp-option DNS 10.8.0.1,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
UDPv4 WRITE [94] to [AF_INET]84.150.95.65:38372: P_ACK_V1 kid=0 pid=[ #14 ] [ 8 ]
UDPv4 WRITE [427] to [AF_INET]84.150.95.65:38372: P_CONTROL_V1 kid=0 pid=[ #15 ] [ ] pid=9 DATA len=341
UDPv4 READ [94] from [AF_INET]84.150.95.65:38372: P_ACK_V1 kid=0 pid=[ #17 ] [ 9 ]
UDPv4 READ [161] from [AF_INET]84.150.95.65:38372: P_DATA_V1 kid=0 DATA len=160
MULTI: bad source address from client [2003:4c:1b2a:fa00:ae40:6f6a:c0ea:e332], packet dropped
...
client log

Code: Select all

... tls handshake ...
Peer Connection Initiated with [AF_INET]37.156.127.41:443
SENT CONTROL [0xdefaced]: 'PUSH_REQUEST' (status=1)
UDPv4 WRITE [155] to [AF_INET]37.156.127.41:443: P_CONTROL_V1 kid=0 pid=[ #16 ] [ ] pid=8 DATA len=69
UDPv4 READ [94] from [AF_INET]37.156.127.41:443: P_ACK_V1 kid=0 pid=[ #14 ] [ 8 ]
UDPv4 READ [427] from [AF_INET]37.156.127.41:443: P_CONTROL_V1 kid=0 pid=[ #15 ] [ ] pid=9 DATA len=341
PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 2b0c:6001:4:b0ad:ffff::1000/112 2b0c:6001:4:b0ad:ffff::1,route-ipv6 2b0c:6001:4:b0ad:ffff::/112,route-ipv6 2000::/3,redirect-gateway def1,dhcp-option DNS 10.8.0.1,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp0s25 HWADDR=d0:50:99:14:8c:df
ROUTE6: default_gateway=UNDEF
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
/usr/bin/ip link set dev tun0 up mtu 1500
/usr/bin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
/usr/bin/ip -6 addr add 2b0c:6001:4:b0ad:ffff::1000/112 dev tun0
/usr/bin/ip route add 37.156.127.41/32 via 192.168.1.1
/usr/bin/ip route add 0.0.0.0/1 via 10.8.0.5
/usr/bin/ip route add 128.0.0.0/1 via 10.8.0.5
/usr/bin/ip route add 10.8.0.1/32 via 10.8.0.5
add_route_ipv6(2b0c:6001:4:b0ad:ffff::/112 -> 2b0c:6001:4:b0ad:ffff::1 metric -1) dev tun0
/usr/bin/ip -6 route add 2b0c:6001:4:b0ad:ffff::/112 dev tun0
add_route_ipv6(2000::/3 -> 2b0c:6001:4:b0ad:ffff::1 metric -1) dev tun0
/usr/bin/ip -6 route add 2000::/3 dev tun0
Initialization Sequence Completed
UDPv4 WRITE [94] to [AF_INET]37.156.127.41:443: P_ACK_V1 kid=0 pid=[ #17 ] [ 9 ]
TUN READ [72]
...

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: me vs. openvpn with ipv4+ipv6

Post by Pippin » Fri Feb 19, 2016 11:41 pm

No experience with IPv6 but i see:

Code: Select all

push "redirect-gateway def1"
For IPv6 shouldn`t there also be

Code: Select all

push "redirect-gateway IPv6"
:?:

fckw
OpenVpn Newbie
Posts: 4
Joined: Fri Feb 19, 2016 7:06 pm

Re: me vs. openvpn with ipv4+ipv6

Post by fckw » Sat Feb 20, 2016 12:05 am

I can't find this flag in the v2.3 man page. Btw., the "route everything through the tunnel"- stuff should be covered by

Code: Select all

push "route-ipv6 2000::/3"
...and it seems to work. I can observe traffic from the client at the server. The client-server communicatio is also working:

client -> server OK
server -> client OK
client -> server -> rest of the world FAIL due to package dropping by OpenVPN

ybk
OpenVpn Newbie
Posts: 13
Joined: Mon Oct 24, 2011 2:40 am

Re: me vs. openvpn with ipv4+ipv6

Post by ybk » Sat Feb 20, 2016 3:42 am

IPv6 is working for me after quite a bit of reading. I started from https://community.openvpn.net/openvpn/wiki/IPv6 and then finally found missing pieces here http://unix.stackexchange.com/questions ... vpn-tunnel
Not to mention that dealing with gateway on /48 while my network is /64 was also not very trivial.

Here are all (I think) required (besides certificates, etc) changes in CentOS 7.
server.conf:

Code: Select all

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 Prefix_64:8000::0/80
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
push "redirect-gateway ipv6"
push "route-ipv6 Prefix_64::/65"
push "route-ipv6 Prefix_48::1"
push "route-ipv6 ::/0 Prefix_48::1"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS Prefix_64:8000::1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
ip -6 a:

Code: Select all

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 Prefix_64::2/65 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
8: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qlen 100
    inet6 Prefix_64:8001::1/80 scope global 
       valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qlen 100
    inet6 Prefix_64:8000::1/80 scope global 
       valid_lft forever preferred_lft forever
ip -6 r:

Code: Select all

Prefix_48::1 dev eth0  proto static  metric 100 
Prefix_64::/65 dev eth0  proto kernel  metric 256 
Prefix_64:8000::/80 dev tun0  proto kernel  metric 256 
Prefix_64:8001::/80 dev tun1  proto kernel  metric 256 
Prefix_48::/48 dev eth0  proto ra  metric 100 
fe80::/64 dev eth0  proto kernel  metric 256 
default via fe80::224:38ff:fe8e:3e00 dev eth0  proto static  metric 100 

Code: Select all

# firewall-cmd --list-all --zone public
  public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client openvpn ssh
  ports: 1194/tcp
  masquerade: yes
  forward-ports:
  icmp-blocks: 
  rich rules: 

Code: Select all

# firewall-cmd --list-all --zone trusted
  trusted (active)
  interfaces: tun0 tun1
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

Code: Select all

# cat /etc/sysctl.d/openvpn.conf 
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1

Code: Select all

# cat /etc/rc.d/rc.local
for i in $(seq 4096 4196)
do
    ip neigh add proxy Prefix_64:8000::$(printf %x $i) dev eth0
    ip neigh add proxy Prefix_64:8001::$(printf %x $i) dev eth0
done
touch /var/lock/subsys/local
I've have never been able to make openvpn to call learn-address script so I just statically added a hundred addresses for each server.
This site https://www.bromosapien.net/media/index ... d_Firewall has completely working setup using iptables but I prefer firewalld. If tunX network is added to trusted zone it automatically enables IPv6 forwarding, otherwise only icmp6 is allowed.
You may find more iptables samples here https://www.sixxs.net/wiki/IPv6_Firewalling but using firewalld requires only a handful of commands while iptables is quite involving.

fckw
OpenVpn Newbie
Posts: 4
Joined: Fri Feb 19, 2016 7:06 pm

Re: me vs. openvpn with ipv4+ipv6

Post by fckw » Sat Feb 20, 2016 11:44 am

Hi ybk,
thanks for sharing your config. Unfortunately it doesn't seem to work on my side. I 've two errors in the client side log:

Code: Select all

Options error: route-ipv6 parameter gateway 'prefix::/64' must be a valid address
Options error: unknown --redirect-gateway flag: ipv6
Thus, I'm left with the routes directing the traffic intended to my /64 network into the tunnel. Everything else bypasses the tunnel and is routed through the clients local ethernet interface.
My OpenVPN version is 2.3.9.

ybk
OpenVpn Newbie
Posts: 13
Joined: Mon Oct 24, 2011 2:40 am

Re: me vs. openvpn with ipv4+ipv6

Post by ybk » Sat Feb 20, 2016 4:34 pm

Second error is harmless for Linux, the option is for iOS and openvpn 2.4.x as documentation says.

Not sure about first error.
I came to my set of ipv6 routes by trying manually on the client first and then entering into server configuration.
You may probably need to to the same to find correct routes in your case.
Start from no routes other then VPN subnet on the server config.

ybk
OpenVpn Newbie
Posts: 13
Joined: Mon Oct 24, 2011 2:40 am

Re: me vs. openvpn with ipv4+ipv6

Post by ybk » Sun Feb 21, 2016 3:58 am

Regarding IPv6 VPN clients talking to each other. Verified that ping6 from one client to another is working.
I don't have any running services, that is all I can test at this time.
However attempt to telnet to any port results with connection refused as expected.
Time to think about proper firewall-cmd commands to close incoming from outside and leaving internal open...

fckw
OpenVpn Newbie
Posts: 4
Joined: Fri Feb 19, 2016 7:06 pm

Re: me vs. openvpn with ipv4+ipv6

Post by fckw » Sun Feb 21, 2016 1:20 pm

OK, I was close to lose my mind but finally it is working....

Thank you for your help!!!

The config is working for my linux clients (dual stack) and my android devices (dual stack and ipv4 only)

server config

Code: Select all

port 443                         
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh4096.pem
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 </64 prefix>:ffff::/112
ifconfig-pool-persist ipp.txt
push "route-ipv6 2000::/3 </64 prefix>:ffff::1 1"
script-security 2
learn-address /etc/openvpn/scripts/ndp-proxy-setup.sh
push "redirect-gateway def1"
push "redirect-gateway ipv6"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth SHA512
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 6
client config

Code: Select all

client
dev tun
proto udp
remote <server url or ip> 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth SHA512
comp-lzo
verb 6
explicit-exit-notify
/etc/openvpn/scripts/ndp-proxy-setup.sh (needs to be executable; add "sudo" if openvpn drops privileges)

Code: Select all

#!/bin/bash

action="$1"
addr="$2"
pubif="<server wan interface>"

if [[ "${addr//:/}" == "$addr" ]]
then
    # not an ipv6 address
    exit
fi

case "$action" in
    add)
        ip -6 neigh add proxy ${addr} dev ${pubif}
        ;;
    update)
        ip -6 neigh replace proxy ${addr} dev ${pubif}
        ;;
    delete)
        ip -6 neigh del proxy ${addr} dev ${pubif}
        ;;
esac
/etc/sysctl.d/30-ipforward.conf (run "sysctl -p /etc/sysctl.d/30-ipforward.conf" after adding this file or reboot)

Code: Select all

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
basic ip6table settings

Code: Select all

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p ipv6-icmp -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -s <prefix>::/64 -j ACCEPT

-A INPUT -j REJECT
COMMIT
basic iptables settings

Code: Select all

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT

*nat
:PREROUTING ACCEPT [86:5890]
:INPUT ACCEPT [65:3910]
:OUTPUT ACCEPT [135:9901]
:POSTROUTING ACCEPT [145:10301]
-A POSTROUTING -s 10.8.0.0/24 -o <server wan interface> -j MASQUERADE
COMMIT

Post Reply