Search the Community
Showing results for tags 'opensuse'.
-
Simple right, drop your config in the openvpn directory, not forgetting auth-user-pass /dir/to/foo within the conf file, and the VPN will start on boot. Not so much. Thanks to systemd (as I understand it at this point) which I do not even see any realistic reason for systemd at this point. Manually start the connection right, openvpn config.conf (or whatever name and flags you desire or require) Now this all works out of the box on debian, that special flavor I find myself using as a daily OS. Add opensuse 42.1 = poof, zilch, sure, the vpn makes connection, yet no traffic. Right off the bat this explains a firewall, aka iptables will require masquerading. No problem right, that's where I've hit the wall. So I flush all iptables by running vi flush-iptables.sh #!/bin/sh echo "Flushing iptables rules..." sleep 1 iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT Then make the script executable: chmod -x flush-iptables.sh And run the script: ./flush-iptables.sh Now I need to open a few things up so I use this script to allow the VPN through: vi openvpn-iptables.sh Then: #!/bin/sh # Accept responses to pings iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT # Respond to pings iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT # Accept traceroutes iptables -A INPUT -p udp -m udp --dport 34000:35000 -j ACCEPT #Enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward #Allow all TUN iptables -A INPUT -i tun+ -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPT iptables -A FORWARD -o tun+ -j ACCEPT #Accept connections on 34448 iptables -A INPUT -p udp --dport 34448 -j ACCEPT #Apply forwarding iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.10.2.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.10.2.0/24 -o eth0 -j MASQUERADE # Display iptables -L -v Make the file executable: chmod -x openvpn-iptables.sh Run it: ./openvpn-iptables Run #iptables-save for persistent Should be good to go, but I've gone wrong somewhere. The VPN connects, but does not masquerade nor forward through eth0, checking wireshark it's as bland as bland shows the connections to the VPN server but that's about it. Kills eth0 (I have not set only for network in the vpn config) but that matters not in this situation. Anyone complete this solution? EDIT: The config file works flawless on two other machines locally, OSX as well as Debian. I've tried using network manager GUI gnome, as well as wicked, no such luck, something is overriding iptables, or I have them completely incorrect. Here is the display: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 64 5568 ACCEPT all -- lo any anywhere anywhere 946K 1228M ACCEPT all -- any any anywhere anywhere ctstate ESTABLISHED 135 9180 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED 0 0 input_int all -- tun0 any anywhere anywhere 1466 61996 input_ext all -- any any anywhere anywhere 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET " 0 0 DROP all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 0 0 forward_int all -- tun0 any anywhere anywhere 0 0 forward_ext all -- eth0 any anywhere anywhere 0 0 forward_ext all -- wlan0 any anywhere anywhere 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING " 0 0 DROP all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 610K packets, 58M bytes) pkts bytes target prot opt in out source destination 64 5568 ACCEPT all -- any lo anywhere anywhere Chain forward_ext (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp echo-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp timestamp-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp address-mask-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp protocol-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp redirect 0 0 ACCEPT all -- eth0 tun0 anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- wlan0 tun0 anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 DROP all -- any any anywhere anywhere PKTTYPE = multicast 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT " 0 0 LOG icmp -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT " 0 0 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT " 0 0 DROP all -- any any anywhere anywhere Chain forward_int (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp echo-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp timestamp-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp address-mask-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp protocol-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp redirect 0 0 ACCEPT all -- tun0 eth0 anywhere anywhere ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT all -- tun0 wlan0 anywhere anywhere ctstate NEW,RELATED,ESTABLISHED 0 0 DROP all -- any any anywhere anywhere PKTTYPE = multicast 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-FWDint-DROP-DEFLT " 0 0 LOG icmp -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWDint-DROP-DEFLT " 0 0 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-FWDint-DROP-DEFLT " 0 0 reject_func all -- any any anywhere anywhere Chain input_ext (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 33 4340 DROP all -- any any anywhere anywhere PKTTYPE = multicast 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " 0 0 LOG icmp -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " 4 388 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " 1433 57656 DROP all -- any any anywhere anywhere Chain input_int (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain reject_func (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset 0 0 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-proto-unreachable