Unable to ping VPN server after applying UFW rules

cb2 · 2017-07-03 14:09:10

I've set up my own VPN server on a VPS. I've configured it all fine and can connect to it from my own computer, and have all my traffic routed through it.

However, I wanted to make it so that when I'm not connected to my VPN then no traffic is allowed out. I'd not used UFW before but after finding this section of the Wiki it seemed fairly straightforward what I had to do, and what was going on. I executed all eight commands (obviously changing the network-specific parts) and enabled UFW.

Well, that did mostly work. When I disconnect my VPN I can't send anything, as desired, and when I reconnect I can. Unfortunately, there's one server I can't ping or otherwise interact with; the VPN's server. Obviously that excludes VPN traffic, since I'm posting this. But if I just try to ping it then I get "sendmsg: Operation not permitted", and if I try to visit, for example, the Plex server hosted on the same VPS then I just get a timeout.

I do find this a bit odd, because like I said, I clearly am able to send some packets to the server, otherwise I wouldn't be able to connect to the VPN. But that's the only kind of traffic I'm allowed to send, including pings!

Here's all of my rules, from running ufw status:

To                         Action      From
--                         ------      ----
Anywhere on tun0           ALLOW       Anywhere                  
Anywhere on wlp3s0         ALLOW       1194                      
Anywhere on wlp3s0         ALLOW       192.168.0.0/24            
Anywhere (v6) on tun0      ALLOW       Anywhere (v6)             
Anywhere (v6) on wlp3s0    ALLOW       1194 (v6)                 

Anywhere                   ALLOW OUT   Anywhere on tun0          
1194                       ALLOW OUT   Anywhere on wlp3s0        
192.168.0.0/24             ALLOW OUT   Anywhere on wlp3s0        
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on tun0     
1194 (v6)                  ALLOW OUT   Anywhere (v6) on wlp3s0

UFW is not running on the VPS so it's not a problem with that end of things. And it's definitely a UFW problem; if I disable UFW then everything works fine again.

Any ideas?

brebs · 2017-07-03 16:44:37

Those "allow out" rules don't appear to include pings to your VPN server via wlp3s0.

Firewall rules rapidly get complicated

cb2 · 2017-07-03 17:57:25

Ah, I didn't realise I had to specifically include the server. You're right, "ufw allow out to [ip]" did the trick.

But does this mean then that OpenVPN doesn't handle any non-VPN traffic going to the same server as the VPN? i.e. even if I have my VPN on, if I'm streaming from Plex or whatever then that's not going through the VPN?

I can't see what else would cause UFW to differentiate between my VPN's server and every other server?

brebs · 2017-07-03 18:31:58

OpenVPN handles the traffic through its interface (e.g. tun0). But not the traffic via another interface.

Traffic "to" the OpenVPN server will go through wlp3s0, instead. Whether tun0 is actually going through wlp3s0, is irrelevant

With firewalls, you've got:

* IP addresses/ranges
* Ports
* Interfaces (e.g. eth0, tun0, wlp3s0)
* Protocols (e.g. TCP, UDP, ICMP)

So, I cringe at the word "uncomplicated". I never see firewalling, or network routing, as simple. It's full of tiny little details.

cb2 · 2017-07-03 18:57:00

Hm, I think I see. So when I have OpenVPN running (from a client's perspective), it reroutes all traffic that'd normally go through wlp3s0 (and other interfaces, when applicable) to its own tun0 interface, where it takes care of the encryption side of things and changes the destination IP address and port, before "handing" this new traffic to wlp3s0 for it to send. Is that an accurate description?

And you're saying that, for any traffic to the VPN's server, this tun0 step is missed out? Is there a technical reason for this, or is it just by design? It seems kind of strange to me.

brebs · 2017-07-03 19:40:31

cb2 wrote:

... this tun0 step is missed out? Is there a technical reason for this, or is it just by design? It seems kind of strange to me.

The OpenVPN server will have (at least) two interfaces - its Internet-facing interface (e.g. eth0), and its OpenVPN interface (e.g. tun0).

... and an IP address on each interface.

So, when you refer to the "OpenVPN server", which of its IP addresses are you referring to? This will determine which interface the traffic goes through. Each of the server's interfaces might deal with traffic very differently - or do a multitude of routing/translation tricks.

Arch Linux

#1 2017-07-03 14:09:10

Unable to ping VPN server after applying UFW rules

#2 2017-07-03 16:44:37

Re: Unable to ping VPN server after applying UFW rules

#3 2017-07-03 17:57:25

Re: Unable to ping VPN server after applying UFW rules

#4 2017-07-03 18:31:58

Re: Unable to ping VPN server after applying UFW rules

#5 2017-07-03 18:57:00

Re: Unable to ping VPN server after applying UFW rules

#6 2017-07-03 19:40:31

Re: Unable to ping VPN server after applying UFW rules

Board footer