This forum is for admins who are looking to build or expand their OpenVPN setup.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
timmyw
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Jan 31, 2011 8:19 am
Post
by timmyw » Mon Jan 31, 2011 9:13 am
Hi, currently I have to stop iptables to allow my vpn connections to connect, after that iptables can be ran fine.
Can someone please share their iptables config, would be very helpful to see,
My server config
Code: Select all
route 192.168.1.0 255.255.255.0
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
-
maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
-
Contact:
Post
by maikcat » Mon Jan 31, 2011 10:39 am
hi there,
please post iptables -L output.. (with firewall enabled)
cheers,
michael
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
timmyw
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Jan 31, 2011 8:19 am
Post
by timmyw » Mon Jan 31, 2011 7:02 pm
Hey maikcat, as requested...
Code: Select all
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:jpegmpeg
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:openvpn
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Sorry this was left out, its all a bit of a mess and I was hoping there would be a simple list of chains to added.
many thanks,
tim
-
maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
-
Contact:
Post
by maikcat » Tue Feb 01, 2011 7:28 am
good day,
with a quick look, try adding the openvpn rule
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
INSIDE RH-Firewall-1-INPUT chain and see if this helps.
cheers,
michael
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
timmyw
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Jan 31, 2011 8:19 am
Post
by timmyw » Wed Feb 02, 2011 8:23 am
Great! So obvious now that was the issue, for anyone else finding this thread here is my config for just the openvpn section for iptables...
Code: Select all
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m udp -p udp --dport 1194 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
many thanks michael
