mudmanc4 Posted December 10, 2015 CID Share Posted December 10, 2015 Simple right, drop your config in the openvpn directory, not forgetting auth-user-pass /dir/to/foo within the conf file, and the VPN will start on boot. Not so much. Thanks to systemd (as I understand it at this point) which I do not even see any realistic reason for systemd at this point. Manually start the connection right, openvpn config.conf (or whatever name and flags you desire or require) Now this all works out of the box on debian, that special flavor I find myself using as a daily OS. Add opensuse 42.1 = poof, zilch, sure, the vpn makes connection, yet no traffic. Right off the bat this explains a firewall, aka iptables will require masquerading. No problem right, that's where I've hit the wall. So I flush all iptables by running vi flush-iptables.sh #!/bin/sh echo "Flushing iptables rules..." sleep 1 iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT Then make the script executable: chmod -x flush-iptables.sh And run the script: ./flush-iptables.sh Now I need to open a few things up so I use this script to allow the VPN through: vi openvpn-iptables.sh Then: #!/bin/sh # Accept responses to pings iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT # Respond to pings iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT # Accept traceroutes iptables -A INPUT -p udp -m udp --dport 34000:35000 -j ACCEPT #Enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward #Allow all TUN iptables -A INPUT -i tun+ -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPT iptables -A FORWARD -o tun+ -j ACCEPT #Accept connections on 34448 iptables -A INPUT -p udp --dport 34448 -j ACCEPT #Apply forwarding iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.10.2.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.10.2.0/24 -o eth0 -j MASQUERADE # Display iptables -L -v Make the file executable: chmod -x openvpn-iptables.sh Run it: ./openvpn-iptables Run #iptables-save for persistent Should be good to go, but I've gone wrong somewhere. The VPN connects, but does not masquerade nor forward through eth0, checking wireshark it's as bland as bland shows the connections to the VPN server but that's about it. Kills eth0 (I have not set only for network in the vpn config) but that matters not in this situation. Anyone complete this solution? EDIT: The config file works flawless on two other machines locally, OSX as well as Debian. I've tried using network manager GUI gnome, as well as wicked, no such luck, something is overriding iptables, or I have them completely incorrect. Here is the display: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 64 5568 ACCEPT all -- lo any anywhere anywhere 946K 1228M ACCEPT all -- any any anywhere anywhere ctstate ESTABLISHED 135 9180 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED 0 0 input_int all -- tun0 any anywhere anywhere 1466 61996 input_ext all -- any any anywhere anywhere 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET " 0 0 DROP all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 0 0 forward_int all -- tun0 any anywhere anywhere 0 0 forward_ext all -- eth0 any anywhere anywhere 0 0 forward_ext all -- wlan0 any anywhere anywhere 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING " 0 0 DROP all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 610K packets, 58M bytes) pkts bytes target prot opt in out source destination 64 5568 ACCEPT all -- any lo anywhere anywhere Chain forward_ext (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp echo-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp timestamp-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp address-mask-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp protocol-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp redirect 0 0 ACCEPT all -- eth0 tun0 anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- wlan0 tun0 anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 DROP all -- any any anywhere anywhere PKTTYPE = multicast 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT " 0 0 LOG icmp -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT " 0 0 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT " 0 0 DROP all -- any any anywhere anywhere Chain forward_int (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp echo-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp timestamp-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp address-mask-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp protocol-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp redirect 0 0 ACCEPT all -- tun0 eth0 anywhere anywhere ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT all -- tun0 wlan0 anywhere anywhere ctstate NEW,RELATED,ESTABLISHED 0 0 DROP all -- any any anywhere anywhere PKTTYPE = multicast 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-FWDint-DROP-DEFLT " 0 0 LOG icmp -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWDint-DROP-DEFLT " 0 0 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-FWDint-DROP-DEFLT " 0 0 reject_func all -- any any anywhere anywhere Chain input_ext (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 33 4340 DROP all -- any any anywhere anywhere PKTTYPE = multicast 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " 0 0 LOG icmp -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " 4 388 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " 1433 57656 DROP all -- any any anywhere anywhere Chain input_int (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain reject_func (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset 0 0 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-proto-unreachable Quote Link to comment Share on other sites More sharing options...
CA3LE Posted December 10, 2015 CID Share Posted December 10, 2015 firewalld? If installed, try uninstalling or disabling it. I had that issue on a cent 7 install the other day. openSUSE makes reference to firewalld. So it makes me think they're using it. Maybe that's the issue. in cent the command to disable firewalld is systemctl disable firewalld stop firewalld systemctl stop firewalld firewalld status systemctl status firewalld Once disabled iptables take affect. Hope this helps. Quote Link to comment Share on other sites More sharing options...
mudmanc4 Posted December 10, 2015 Author CID Share Posted December 10, 2015 37 minutes ago, CA3LE said: firewalld? If installed, try uninstalling or disabling it. I had that issue on a cent 7 install the other day. openSUSE makes reference to firewalld. So it makes me think they're using it. Maybe that's the issue. in cent the command to disable firewalld is systemctl disable firewalld stop firewalld systemctl stop firewalld firewalld status systemctl status firewalld Once disabled iptables take affect. Hope this helps. #systemctl status firewalld firewalld.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) Quote Link to comment Share on other sites More sharing options...
mudmanc4 Posted December 10, 2015 Author CID Share Posted December 10, 2015 Your on the right track I'm certain. Something is blocking this mess, in RHEL the GUI will override writing to iptables outside of manually updating /etc/sysconfig/iptables , correct ? So I am 'assuming' at this point there is a conflict between nm and susefirewall Since '/sbin/rcSuSEfirewall2 stop' will torch everything , I'm again assuming this is no more than a wrapper to iptables just as any other gui 'firewall' Quote Link to comment Share on other sites More sharing options...
mudmanc4 Posted December 10, 2015 Author CID Share Posted December 10, 2015 BTW apparmor is disabled Quote Link to comment Share on other sites More sharing options...
CA3LE Posted December 10, 2015 CID Share Posted December 10, 2015 Have you tried /sbin/SuSEfirewall2 off I don't think that would torch everything. As long as iptables isn't blocking you. Make sure you have the following so you don't get locked out. (change 22 to your ssh port) iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT Quote Link to comment Share on other sites More sharing options...
mudmanc4 Posted December 10, 2015 Author CID Share Posted December 10, 2015 I've turned off susefirewall, removed iptables, removed network-manager, apparmor, the network continues to function after a reboot. What is controlling this system Quote Link to comment Share on other sites More sharing options...
CA3LE Posted December 10, 2015 CID Share Posted December 10, 2015 Why do you need or want openSUSE in particular? Quote Link to comment Share on other sites More sharing options...
mudmanc4 Posted December 10, 2015 Author CID Share Posted December 10, 2015 5 minutes ago, CA3LE said: Why do you need or want openSUSE in particular? I wanted to include this reason in the initial post, but thought it irreverent even muddling to the point at the time. Until now. The answer is, I do not care to use OpenSuse specifically. I've been corralled or forced into it at this point. The Mac is no longer a viable developing machine due to it's age. Slow, unresponsive and utterly useless when running several applications required. Excellent daily driver however. El Capiton is a major improvement over the last several updates. Next solution is the machine I am on now, however one 17" screen does not cover my requirements; the only usable card I have for this machine is an old nvidia card, which requires (linux) proprietary drivers, the latest of which supports such a card is the 304.xx, where Debian does not have upstream viability since rev 8, and I do not expect to see it anytime in the near future. So I'm working with what I have, which can pose challenges such as this. But this one is got to be user error, there should be no reason this system would be unable to run openvpn. Quote Link to comment Share on other sites More sharing options...
mudmanc4 Posted December 11, 2015 Author CID Share Posted December 11, 2015 Though I'm not one to sidetrack tenacity, there comes a time when fruitless become soured fruit. Imaged with Debian 8, amazing that Gallium 0.4 is functioning, though not using the card memory, I wont be gaming so it's not important. Dropped the openvpn config in it's place, and connected, boom, done, onward! CA3LE 1 Quote Link to comment Share on other sites More sharing options...
ybnrmalatall Posted December 16, 2015 CID Share Posted December 16, 2015 (edited) On 12/10/2015 at 11:01 AM, CA3LE said: firewalld? If installed, try uninstalling or disabling it. I had that issue on a cent 7 install the other day. openSUSE makes reference to firewalld. So it makes me think they're using it. Maybe that's the issue. in cent the command to disable firewalld is systemctl disable firewalld stop firewalld systemctl stop firewalld firewalld status systemctl status firewalld Once disabled iptables take affect. Hope this helps. That* is anything with systemd universally. xD *edit Edited December 16, 2015 by ybnrmalatall mudmanc4 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.