Page 1 of 1
Can't view any web pages from client
Posted: Wed Aug 24, 2011 11:26 pm
by Braxen
I guess this has to do with iptables, but when i try to enter some from guides i just get kicked from ssh and i have to go to the server and plug in a monitor etc.
Server config:
Code: Select all
mode server
tls-server
local 85.11.28.249
port 1194
proto udp
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-key
persist-tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
comp-lzo
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110
push "dhcp-option DNS 85.11.1.11"
push "redirect-gateway def1"
max-clients 10 ## set this to the max number of clients that should be connected at a time
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3
I followed some guide on the Ubuntu FAQ. Running Ubuntu 10.10.
The thing is, we don't have a firewall, neither do we have a router, we're wired directly to a modem and we can choose our own IP's, and i understand nothing of the guides since nobody has it like us.
I'm pretty new to *nix so this is kind of a big mess for me.
I don't think it's the client config that's the problem, and it's such a hassle to get it here so nope.
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 5:44 am
by Mimiko
but when i try to enter some from guides i just get kicked from ssh
Enter some - what?
You are disconneted when OpenVPN is started?
Show all your iptables list. Even you don't use firewall, its still there.
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 6:04 am
by Braxen
When i enter some iptables commands it kicks me. I think it's a filter, yes?
Also it's 100% empty right now.
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 6:14 am
by Mimiko
If you are trying to see iptables and you a disconneted, its not a OpenVPN issue. Resolve prvileges issues yourself first.
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 6:29 am
by Braxen
Wait, what? If you mean sudo by privilegies or something i've got it.
I have never used iptables before, i don't even know how they work.
You check them by "iptables -L" right?
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 6:40 am
by Mimiko
It's not only running as root, but resolve the disconnetion problem when trying to view iptables with: iptables -L.
If you never used iptables - try learn it first. You will need to know how to use iptables when runnign OpenVPN.
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 7:27 am
by Braxen
Yeah well but i want it now, are there any generators for them?
I guess that when i try to execute someone else's iptable config it blocks port 22 and other stuff so it kinda dies.
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 7:50 am
by Bebop
Better than a generator is a script that you can modify to do whatever you like.
Scripting and Customizations » Routing and Firewall Scripts » IPTABLES secure Internet tunnel
Best of luck to solve your problem.
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 8:01 am
by Braxen
That was the one i tried, and then the server box's internet broke and i had to go there and reset it.
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 3:34 pm
by Braxen
So i tried it once more, and ofcourse it disabled all internet access to the box. Eh this doesn't work.
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 3:41 pm
by defsdoor
If you are adding firewall rules remotely I find a cron job to flush all your rules every so often just in case helps a lot.
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 3:44 pm
by Braxen
defsdoor wrote:If you are adding firewall rules remotely I find a cron job to flush all your rules every so often just in case helps a lot.
I just don't get this with iptables, does ubuntu come with some hidden firewall installed or something?
Also i have never done cronjobs before, i only know what they are.
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 3:47 pm
by Mimiko
Just show resulting of "itables -L" and "iptables -t nat -L". And show what rules you are adding.
Re: Can't view any web pages from client
Posted: Thu Aug 25, 2011 9:46 pm
by Braxen
Mimiko wrote:Just show resulting of "itables -L" and "iptables -t nat -L". And show what rules you are adding.
Code: Select all
braxen@hyperbrax:/etc/openvpn$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp dpts:33434:33523
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.0.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
braxen@hyperbrax:/etc/openvpn$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.0.0.0/24 anywhere
From what i can understand from that file is that it blocks all port except port 22, but i need alot or ports..
Re: Can't view any web pages from client
Posted: Fri Aug 26, 2011 5:10 am
by Mimiko
I also asked you to show what rules you a willing to add and disconnects you.
Re: Can't view any web pages from client
Posted: Fri Aug 26, 2011 6:05 am
by Braxen
Mimiko wrote:I also asked you to show what rules you a willing to add and disconnects you.
Oh i closed that tab.. Well yeah i copypasted the script from that post above and changed the ip from 10.8.0.0 to 10.0.0.0.
It prevents ALL traffic except ssh, and i can't reset them except for a sudo reboot.
Re: Can't view any web pages from client
Posted: Fri Aug 26, 2011 6:21 am
by Mimiko
It prevents ALL traffic except ssh, and i can't reset them except for a sudo reboot.
It's because you didn/t want to understand the script. Why you are using 10.0.0.0? In script it said that this IP mast be taken from OpenVPN config file. In your config file you use different IP pool: 192.168.1.0.
So insteed onf 10.8.0.0/24 in the script, use 192.168.1.0/24.
Be more selfstuding, please.
Re: Can't view any web pages from client
Posted: Fri Aug 26, 2011 6:30 am
by krzee
try this:
Code: Select all
iptables -I FORWARD -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT
Re: Can't view any web pages from client
Posted: Fri Aug 26, 2011 7:16 am
by Braxen
Mimiko wrote:It prevents ALL traffic except ssh, and i can't reset them except for a sudo reboot.
It's because you didn/t want to understand the script. Why you are using 10.0.0.0? In script it said that this IP mast be taken from OpenVPN config file. In your config file you use different IP pool: 192.168.1.0.
So insteed onf 10.8.0.0/24 in the script, use 192.168.1.0/24.
Be more selfstuding, please.
Yeah but i changed the config to something else since TLS didn't work vanilla in Ubuntu.
krzee wrote:try this:
Code: Select all
iptables -I FORWARD -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT
Only those two?
Re: Can't view any web pages from client
Posted: Mon Aug 29, 2011 6:59 am
by Braxen
Well i'm back from partying, any clues?