OpenVPN Client Question

Keith_Haines · March 1, 2017, 10:35pm

I was actually able to figure it out. It’s not the firewall, it’s iptables. It’s not routing green packets to the vpn interface. I did some research online and found what looks like an answer.

I ran these iptables commands in an SSH session and am now able to ping the remote network from computers on my LAN.

iptables -A FORWARD -i enp0s20u4 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o enp0s20u4 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE <– edit: this is all I needed to run

Where enp0s20u4 is my green interface and tun0 is my openvpn tunnel.

And now it works! I haven’t tested it to see if it persists through reboots yet, but this is a big improvement from where I was.

Shouldn’t NS should be adding these routes to iptables when the vpn client is setup though?

Keith_Haines · March 1, 2017, 10:45pm

So, it’s not persistent through a reboot, but I figured out that all I needed to do was run this command:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

And then all is good. I just need to figure out how to make it persist through reboots now.

dj_marian · March 1, 2017, 10:54pm

There were no Shorewall:forward reject/drop in log?
EDIT:
ok if only nat rule is needed, I assume were no drops in log

As I wrote in my post Shorewall is blocking ping but accept rule is created, why?

i (also) have similar problem but with OUTPUT:REJECT: and don’t know if this possible to accept this in GUI (to have rules in one place) because from bash this should work.
I thought I it should work from GUI but it’s not - something is missing in Gui rule creation (just like here) or I’m making something wrong.

Keith_Haines · March 1, 2017, 11:15pm

I went back and removed the static routes, and all firewall rules to see if the firewall would otherwise be blocking the packets. I then rebooted my NS and ran the iptables command, and it still works!

So it looks like NS needs to add this iptables command when setting up an OpenVPN client.

Keith_Haines · March 1, 2017, 11:17pm

Hey @giacomo, I was able to fix it with this iptables command:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Is this something that should be added to NS when creating OpenVPN clients?

Keith_Haines · March 2, 2017, 8:12am

The only other issue I have is active FTP.

Active FTP is required for a medical program I use and doesn’t work through the VPN.

Luckily I found the issue was with the way my IP address appeared to the FTP server and enabling nf_nat_ftp seems to fix the issue. So in case anyone else is having a hard time with active ftp through an OpenVPN client, go into an SSH session and run this command to load the NAT ftp module:

modprobe nf_nat_ftp

You can then create a [filename].conf file (i.e. natftp.conf) in /etc/modules-load.d/ that simply states nf_nat_ftp so that the module gets loaded at startup.

Again, this is just in case anyone has an issue with active FTP downloads through a VPN tunnel. In general you should always use passive FTP (or avoid FTP all together if possible), but sometimes you can’t get around it like in my case with a proprietary program I use for work.

Otherwise, this post can be marked solved!!

giacomo · March 2, 2017, 10:11am

Really good job Keith.

I never had to add the masquerade to the tun0.
If you want to make the modification permanent do this:

mkdir -p /etc/e-smith/templates/custom/etc/shorewall/masq
echo tun0 >>  /etc/e-smith/templates/custom/etc/shorewall/masq/90tun
signal-event firewall-adjust

filippo_carletti · March 2, 2017, 3:35pm

Hiding LAN IP addresses through a VPN is usually not desired, because you loose the source of access to resources.
But if @Keith_Haines sceanario is a common one we could file an issue for an improvement.

Keith_Haines · March 5, 2017, 3:08am

I tried following your instructions, but it doesn’t persist through reboots.

Is there another way to make the iptables command persist through reboots?

EddieA · March 5, 2017, 6:12am

I think that really should have been:

mkdir -p /etc/e-smith/templates-custom/etc/shorewall/masq
echo tun0 >>  /etc/e-smith/templates-custom/etc/shorewall/masq/90tun
signal-event firewall-adjust

Cheers.

Keith_Haines · March 5, 2017, 6:51am

That makes a lot more sense, I just tried it and it works great! Thanks!

Keith_Haines · March 14, 2019, 9:50am

I just wanted to add that using the custom templates didn’t actually work. I ended up adding the iptables command to the /etc/shorewall/started file to get it to persist through reboots.