You are not logged in.

#1 2016-12-30 10:36:13

hbc2
Member
Registered: 2014-07-26
Posts: 13

Trouble setting up iptables for openvpn

Hi,

When I try to establish a connection to an openvpn server (they use udp on port 1197 not 1194 as commonly done) the TLS handshake fails.  I played with this for a day and I'm not getting anywhere. 

If I reset the iptables Input and Output policies to ACCEPT (meaning I have no rules and just accept all traffic) I can get the openvpn client to connect.  That proves I have have my openvpn cleint conf file setup correctly.

What I'm trying to do is block all traffic on the "real" interface (wlp6s0) so if my vpn goes down my browser will not connect to the web server I am trying to hide my ip addr from. 

The iptables script at the bottom does not work as is. 

I think the problem is related to this line but I'm not sure how to troubleshoot further:

iptables -A INPUT -p udp --dport 1197 -j ACCEPT

If I use the above rule I'm not able to connect.
If I comment the above rule and uncomment these following two then I can get the below script to connect to the VPN server.

iptables -A OUTPUT -m state --state NEW -o wlp6s0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

However, using those two lines means that if the vpn goes down then my browser will still connect to the web server that I am trying to hide my ip address from.

Any thoughts on this would be helpful.  Thanks.


#!/bin/bash

# Delete old iptables rules
# and temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F

# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP


# Allow local loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -p udp --dport 1197 -j ACCEPT

#I tried these, thinking I had to handle the state of the connection for some reason, but they don't work either
#iptables -A INPUT -i wlp6s0 -p udp --dport 1197 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -o wlp6s0 -p udp --sport 1197 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# I don't want to use the two below rules incase the VPN goes down 
# (if it does then my browser would still connect to the server I'm hiding my IP from)
# Keep state of connections from local machine and private subnets
# iptables -A OUTPUT -m state --state NEW -o wlp6s0 -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#accept everything over the vpn tunnel for now
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

Offline

#2 2016-12-30 12:38:52

ma79
Member
Registered: 2016-12-30
Posts: 1

Re: Trouble setting up iptables for openvpn

Hi

You probably need to allow output to the VPN server since you are connecting to it:

iptables -A OUTPUT -o wlp6s0 -p udp -m udp --dport 1197 -j ACCEPT

For example, something like this in /etc/iptables/iptables.rules should work:

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

-A INPUT -i wlp6s0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A OUTPUT -o wlp6s0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

-A OUTPUT -o wlp6s0 -p udp -m udp --dport 1197 -j ACCEPT

-A OUTPUT -o tun+ -j ACCEPT

COMMIT

Offline

Board footer

Powered by FluxBB