OpenVPN Client Question

openvpn
v7

(Keith Haines) #21

I was actually able to figure it out. It’s not the firewall, it’s iptables. It’s not routing green packets to the vpn interface. I did some research online and found what looks like an answer.

I ran these iptables commands in an SSH session and am now able to ping the remote network from computers on my LAN.

iptables -A FORWARD -i enp0s20u4 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o enp0s20u4 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE <– edit: this is all I needed to run

Where enp0s20u4 is my green interface and tun0 is my openvpn tunnel.

And now it works! I haven’t tested it to see if it persists through reboots yet, but this is a big improvement from where I was.

Shouldn’t NS should be adding these routes to iptables when the vpn client is setup though?


(Keith Haines) #22

So, it’s not persistent through a reboot, but I figured out that all I needed to do was run this command:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

And then all is good. I just need to figure out how to make it persist through reboots now.


(Marcin) #23

There were no Shorewall:forward reject/drop in log?
EDIT:
ok if only nat rule is needed, I assume were no drops in log

As I wrote in my post Shorewall is blocking ping but accept rule is created, why?

i (also) have similar problem but with OUTPUT:REJECT: and don’t know if this possible to accept this in GUI (to have rules in one place) because from bash this should work.
I thought I it should work from GUI but it’s not - something is missing in Gui rule creation (just like here) or I’m making something wrong.


(Keith Haines) #24

I went back and removed the static routes, and all firewall rules to see if the firewall would otherwise be blocking the packets. I then rebooted my NS and ran the iptables command, and it still works!

So it looks like NS needs to add this iptables command when setting up an OpenVPN client.


(Keith Haines) #25

Hey @giacomo, I was able to fix it with this iptables command:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Is this something that should be added to NS when creating OpenVPN clients?


(Keith Haines) #26

The only other issue I have is active FTP. :sweat_smile:

Active FTP is required for a medical program I use and doesn’t work through the VPN.

Luckily I found the issue was with the way my IP address appeared to the FTP server and enabling nf_nat_ftp seems to fix the issue. So in case anyone else is having a hard time with active ftp through an OpenVPN client, go into an SSH session and run this command to load the NAT ftp module:

modprobe nf_nat_ftp

You can then create a [filename].conf file (i.e. natftp.conf) in /etc/modules-load.d/ that simply states nf_nat_ftp so that the module gets loaded at startup.

Again, this is just in case anyone has an issue with active FTP downloads through a VPN tunnel. In general you should always use passive FTP (or avoid FTP all together if possible), but sometimes you can’t get around it like in my case with a proprietary program I use for work.

Otherwise, this post can be marked solved!!


(Giacomo Sanchietti) #27

Really good job Keith.

I never had to add the masquerade to the tun0.
If you want to make the modification permanent do this:

mkdir -p /etc/e-smith/templates/custom/etc/shorewall/masq
echo tun0 >>  /etc/e-smith/templates/custom/etc/shorewall/masq/90tun
signal-event firewall-adjust

(Filippo Carletti) #28

Hiding LAN IP addresses through a VPN is usually not desired, because you loose the source of access to resources.
But if @Keith_Haines sceanario is a common one we could file an issue for an improvement.


(Keith Haines) #29

I tried following your instructions, but it doesn’t persist through reboots.

Is there another way to make the iptables command persist through reboots?


(Eddie Atherton) #30

I think that really should have been:

mkdir -p /etc/e-smith/templates-custom/etc/shorewall/masq
echo tun0 >>  /etc/e-smith/templates-custom/etc/shorewall/masq/90tun
signal-event firewall-adjust

Cheers.


(Keith Haines) #31

That makes a lot more sense, I just tried it and it works great! Thanks!


(Keith Haines) #32

I just wanted to add that using the custom templates didn’t actually work. I ended up adding the iptables command to the /etc/shorewall/started file to get it to persist through reboots.