Jump to content
mudmanc4

OpenSuse => OpenVPN

Recommended Posts

Simple right, drop your config in the openvpn directory, not forgetting auth-user-pass /dir/to/foo within the conf file, and the VPN will start on boot.

Not so much. Thanks to systemd (as I understand it at this point) which I do not even see any realistic reason for systemd at this point.

 

Manually start the connection right, openvpn config.conf (or whatever name and flags you desire or require)

 

Now this all works out of the box on debian, that special flavor I find myself using as a daily OS.

 

Add opensuse 42.1 = poof, zilch, sure, the vpn makes connection, yet no traffic. Right off the bat this explains a firewall, aka iptables will require masquerading. No problem right, that's where I've hit the wall. So I flush all iptables by running vi flush-iptables.sh

#!/bin/sh
echo "Flushing iptables rules..."
sleep 1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

 

Then make the script executable:

chmod -x flush-iptables.sh

And run the script:

./flush-iptables.sh

 

Now I need to open a few things up so I use this script to allow the VPN through:

vi openvpn-iptables.sh

 

Then:

#!/bin/sh
# Accept responses to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Respond to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Accept traceroutes
iptables -A INPUT -p udp -m udp --dport 34000:35000 -j ACCEPT

#Enable forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward

#Allow all TUN
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

#Accept connections on 34448
 iptables -A INPUT -p udp --dport 34448 -j ACCEPT

#Apply forwarding

 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -s 10.10.2.0/24 -j ACCEPT
 iptables -A FORWARD -j REJECT
 iptables -t nat -A POSTROUTING -s 10.10.2.0/24 -o eth0 -j MASQUERADE

# Display
 iptables -L -v

 

Make the file executable:

chmod -x openvpn-iptables.sh

 

Run it:

./openvpn-iptables

 

Run #iptables-save for persistent

Should be good to go, but I've gone wrong somewhere.

 

The VPN connects, but does not masquerade nor forward through eth0, checking wireshark it's as bland as bland shows the connections to the VPN server but that's about it. Kills eth0 (I have not set only for network in the vpn config) but that matters not in this situation. 

 

Anyone complete this solution?

EDIT:

The config file works flawless on two other machines locally, OSX as well as Debian.

I've tried using network manager GUI gnome, as well as wicked, no such luck, something is overriding iptables, or I have them completely incorrect.

 

Here is the display:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   64  5568 ACCEPT     all  --  lo     any     anywhere             anywhere            
 946K 1228M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate ESTABLISHED
  135  9180 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED
    0     0 input_int  all  --  tun0   any     anywhere             anywhere            
 1466 61996 input_ext  all  --  any    any     anywhere             anywhere            
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  any    any     anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    0     0 forward_int  all  --  tun0   any     anywhere             anywhere            
    0     0 forward_ext  all  --  eth0   any     anywhere             anywhere            
    0     0 forward_ext  all  --  wlan0  any     anywhere             anywhere            
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING "
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 610K packets, 58M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   64  5568 ACCEPT     all  --  any    lo      anywhere             anywhere            

Chain forward_ext (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp timestamp-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp address-mask-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp protocol-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp redirect
    0     0 ACCEPT     all  --  eth0   tun0    anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  wlan0  tun0    anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  any    any     anywhere             anywhere             PKTTYPE = multicast
    0     0 DROP       all  --  any    any     anywhere             anywhere             PKTTYPE = broadcast
    0     0 LOG        tcp  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT "
    0     0 LOG        icmp --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT "
    0     0 LOG        udp  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT "
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain forward_int (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp timestamp-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp address-mask-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp protocol-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED icmp redirect
    0     0 ACCEPT     all  --  tun0   eth0    anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tun0   wlan0   anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED
    0     0 DROP       all  --  any    any     anywhere             anywhere             PKTTYPE = multicast
    0     0 DROP       all  --  any    any     anywhere             anywhere             PKTTYPE = broadcast
    0     0 LOG        tcp  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-FWDint-DROP-DEFLT "
    0     0 LOG        icmp --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWDint-DROP-DEFLT "
    0     0 LOG        udp  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-FWDint-DROP-DEFLT "
    0     0 reject_func  all  --  any    any     anywhere             anywhere            

Chain input_ext (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere             PKTTYPE = broadcast
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
   33  4340 DROP       all  --  any    any     anywhere             anywhere             PKTTYPE = multicast
    0     0 DROP       all  --  any    any     anywhere             anywhere             PKTTYPE = broadcast
    0     0 LOG        tcp  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
    0     0 LOG        icmp --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
    4   388 LOG        udp  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
 1433 57656 DROP       all  --  any    any     anywhere             anywhere            

Chain input_int (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain reject_func (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             reject-with tcp-reset
    0     0 REJECT     udp  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-proto-unreachable

 

Share this post


Link to post
Share on other sites

firewalld?  If installed, try uninstalling or disabling it.  I had that issue on a cent 7 install the other day.  

 

openSUSE makes reference to firewalld.  So it makes me think they're using it.  Maybe that's the issue.

 

in cent the command to disable firewalld is 

systemctl disable firewalld

 

stop firewalld

systemctl stop firewalld

 

firewalld status

systemctl status firewalld

 

Once disabled iptables take affect.

 

Hope this helps.

 

Share this post


Link to post
Share on other sites
37 minutes ago, CA3LE said:

firewalld?  If installed, try uninstalling or disabling it.  I had that issue on a cent 7 install the other day.  

 

openSUSE makes reference to firewalld.  So it makes me think they're using it.  Maybe that's the issue.

 

in cent the command to disable firewalld is 

systemctl disable firewalld

 

stop firewalld

systemctl stop firewalld

 

firewalld status

systemctl status firewalld

 

Once disabled iptables take affect.

 

Hope this helps.

 

 

 

#systemctl status firewalld
firewalld.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

 

Share this post


Link to post
Share on other sites

Your on the right track I'm certain. Something is blocking this mess, in RHEL the GUI will override writing to iptables outside of manually updating /etc/sysconfig/iptables , correct ?

So I am 'assuming' at this point there is a conflict between nm and susefirewall

 

Since '/sbin/rcSuSEfirewall2 stop' will torch everything , I'm again assuming this is no more than a wrapper to iptables just as any other gui 'firewall'

Share this post


Link to post
Share on other sites

Have you tried

/sbin/SuSEfirewall2 off

 

I don't think that would torch everything.  As long as iptables isn't blocking you.

 

Make sure you have the following so you don't get locked out. (change 22 to your ssh port)

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

 

Share this post


Link to post
Share on other sites
5 minutes ago, CA3LE said:

Why do you need or want openSUSE in particular?

I wanted to include this reason in the initial post, but thought it irreverent even muddling to the point at the time. Until now.

 

The answer is, I do not care to use OpenSuse specifically. I've been corralled or forced into it at this point.

The Mac is no longer a viable developing machine due to it's age. Slow, unresponsive and utterly useless when running several applications required. Excellent daily driver however. El Capiton is a major improvement over the last several updates.

 

Next solution is the machine I am on now, however one 17" screen does not cover my requirements; the only usable card I have for this machine is an old nvidia card, which requires (linux) proprietary drivers, the latest of which supports such a card is the 304.xx, where Debian does not have upstream viability since rev 8, and I do not expect to see it anytime in the near future.

 

So I'm working with what I have, which can pose challenges such as this.

But this one is got to be user error, there should be no reason this system would be unable to run openvpn.

Share this post


Link to post
Share on other sites

Though I'm not one to sidetrack tenacity, there comes a time when fruitless become soured fruit.

 

Imaged with Debian 8, amazing that Gallium 0.4 is functioning, though not using the card memory, I wont be gaming so it's not important.

 

Dropped the openvpn config in it's place, and connected, boom, done, onward!

Share this post


Link to post
Share on other sites
On 12/10/2015 at 11:01 AM, CA3LE said:

firewalld?  If installed, try uninstalling or disabling it.  I had that issue on a cent 7 install the other day.  

 

openSUSE makes reference to firewalld.  So it makes me think they're using it.  Maybe that's the issue.

 

in cent the command to disable firewalld is 

systemctl disable firewalld

 

stop firewalld

systemctl stop firewalld

 

firewalld status

systemctl status firewalld

 

Once disabled iptables take affect.

 

Hope this helps.

 

That* is anything with systemd universally. xD

 

*edit

Edited by ybnrmalatall

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Similar Content

    • By mudmanc4
      Since I've not been absent minded enough in the past to actually lock myself out of a server (aside those younger days of 'forgetting the root pass" -- this is a first for me, yes I'm a locked out virgin. Special hey ? 
       
      And don't do this if you want continued access via root, or anything else. Sure http and https are available for public facing, but thats it.
      So , I ran ---
       

      iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -j REJECT iptables -A FORWARD -j REJECT  
      After saving iptables permanently , opened another shell logged in with the new user also created to take the place of root with the proper permissions, login was fine for that user. 
       
      After reboot I realized what I had mistakenly forgotten in the chain. See it ? lol Yes thats right , the ssh port - duh-me ?  And a couple other things that render the hosts reporting scripts locked out, ah yes there it is - dummy lol
       
      As I can see it , the only way to get access would be to have host flush iptables from main server node root. Yes, no ? Idea's ?
×
×
  • Create New...