You are not logged in.

Hi,
I recently set up ufw to prevent leaks if vpn goes down according to this wiki page: https://wiki.archlinux.org/index.php/Op … _goes_down
with slight changes:
 # Default policies
 ufw default deny incoming
 ufw default deny outgoing
 
 # Openvpn interface (adjust interface accordingly to your configuration)
 ufw allow in on tap0     # <- here I changed tun0 to tap0
 ufw allow out on tap0   # <-
 
 # Local Network (adjust ip accordingly to your configuration)
 ufw allow in on any from 192.168.1.0/24   # <- here I changed enp3s0 to any
 ufw allow out on any to 192.168.1.0/24     # <-
 ufw allow in on any to 192.168.0.0/24       # <- and added IPs
 ufw allow out on any to 192.168.0.0/24     # <-
 # Openvpn (adjust port accordingly to your configuration)
 ufw allow out on any to any port 1194     # <- again enp3s0 to any
 ufw allow in on any from any port 1194    # <-
 # DNS
 ufw allow in from any to any port 53
 ufw allow out from any to any port 53However, I started to get these error messages:
write UDPv4: Operation not permitted (code=1)which prevents me to log in my VPN. I have to stop ufw, log in the VPN and then start ufw again. After this I still get the occasional error message, but it does not disconnect me.
It is merely an annoying issue to restart ufw every time, but I would still like to know where I made a mistake.
Last edited by Phalkon (2016-03-25 02:26:53)
Why Linux? Because it doesn't hide anything from you. It puts you so closely in control of your machine that you can feel its heartbeat.
Offline

SOLVED
You cannot use "any" after "on" for an interface.
Last edited by Phalkon (2016-03-25 02:30:08)
Why Linux? Because it doesn't hide anything from you. It puts you so closely in control of your machine that you can feel its heartbeat.
Offline

Hi, could you put the commands you used instead? I wrote this guide on the wiki. I'm genuinely interested to see what's wrong! 
Edit: didn't saw your edit on your first post, i'm an idiot! Thanks!
Could you edit the wiki accordingly?
Last edited by Laedorm (2016-04-29 03:46:50)
Offline

No I actually didn't. 
Here are the correct commands.
If you wish to allow local network, you need to edit the commands acordingly. (change "any" to an actual interface) 
 # Default policies
 ufw default deny incoming
 ufw default deny outgoing
 
 # Openvpn interface (adjust interface accordingly to your configuration)
 ufw allow in on tap0
 ufw allow out on tap0 
 # Openvpn (adjust port accordingly to your configuration)
 ufw allow out on enp3s0 to any port 1194     # <- here I needed to change "any" to an interface I was going to use to connect to my VPN
 ufw allow in on enp3s0 from any port 1194    # <- it is already changed in this posted to enp3s0, but in the original post, there was "any", which doesn't work
 # DNS
 ufw allow in from any to any port 53
 ufw allow out from any to any port 53I don't think it's necessary to edit the wiki, because there's nothing wrong with the intructions there.
The commands I posted here were already modified by me.
However, I think it's unnecesary (and could be confusing) to use ufw, when iptables are quite sufficient. Also iptables allows you to do what I was trying to achieve (allow connection to VPN from any interface).
Here is an iptables script, that you can use to achieve basically the same thing as with ufw.
#!/bin/sh
IPT=/usr/bin/iptables
$IPT -F
# policies
$IPT -P OUTPUT DROP                                                    # default policy for outgoing packets
$IPT -P INPUT DROP                                                     # default policy for incoming packets
$IPT -P FORWARD DROP                                                   # default policy for forwarded packets
# allowed outputs
$IPT -A OUTPUT --out-interface lo -j ACCEPT                             # enable localhost
$IPT -A OUTPUT --out-interface tap0 -j ACCEPT                           # enable outputs on OpenVPN interface (change tap0 to tun0 or any other openvpn interface you might be using)
$IPT -A OUTPUT -p tcp --dport 1194 -j ACCEPT                            # enable port for establishing VPN
$IPT -A OUTPUT -p udp --dport 1194 -j ACCEPT                            
$IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT                              # enable DNS requests
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
# allowed inputs
$IPT -A INPUT --in-interface lo -j ACCEPT                               # enable localhost
$IPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT                   # enable ping from other machines
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT            # enable requested packetsI haven't included the local network, because I don't use it myself.
If you wish to enable it, you have to add ip addresses accordingly to allowed outputs (or even allowed inputs, if you wish to allow connections that wasn't established by you).
For example:
/usr/bin/iptables -A OUTPUT -p tcp -d 192.168.0.0/24 -j ACCEPTOr you can add only concrete ip adresses that you want allowed.
To allow other machines to establish connections to your computer, you can use something like this.
/usr/bin/iptables -A INPUT -p tcp -s 192.168.0.0/24 -j ACCEPTBasically just change -d (stands for destination) to -s (source).
Of course, if your network uses different ip adresses (192.168.1.0/24 or 10.20.3.0/24 or any other, you need to change it accordingly).
I wonder... was there any particular reason you used ufw in your wiki page?
Last edited by Phalkon (2016-04-29 19:09:39)
Why Linux? Because it doesn't hide anything from you. It puts you so closely in control of your machine that you can feel its heartbeat.
Offline