Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hello,
i'm using suse 9.3 with firewall enabled.
openvpn could connect to each other successfully, but i can't ping each other, except
when i stop the firewall in each computer.
i want to know how to open tap/tun device in firewall to solve this.
or do any of you have other solution?
hi, thanks for reply
i did something about it yesterday, but i think it's not the right solution, because now i saw the summary
of the firewall about "internal network is not protected". what i did yesterday are:
in the susefirewall_custom file, i added the lines:
Code:
fw_custom_before_denyall {
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
true
}
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940
Rep:
you need to allow traffic from tap0/tun0 depending on what you are using
or allow the subnets.
you could send me you iptables-save -t filter
also: i personally would advise you to use iptables directly rather than a gui, since this will give you a lot more understanding of what is going on, and how your firewall works (only in case you are up for that)
read: http://iptables-tutorial.frozentux.n...-tutorial.html
also: you can clear out your firewall, and slowly add things in again, this would tell you which rules need adding/moving/modifying
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940
Rep:
that is your firewall man! reading your rules can solve the prob.
i take it these are your client rules right?
could you tell me what version of openvpn you are running, if you are using tun adaptors or tap adapter and
the port openvpn is using, and the protocol?
for this you can look in your openvpn config file for
1. port
2. proto
3. dev
also perhaps you could post following from your server
hi,
wow, you're really fast, and yes that was from the client
i'm using openvpn 2.0, and i installed it by doing rpmbuild first
port 1194
proto udp
dev tun
btw, i did something to the server.conf file (i post it below too), and now i could ping the server's internal
ip. almost forgot, the client internal lan is 192.168.2.0/255.255.255.0, the server internal lan is
192.168.1.0/255.255.255.0. when connected, there will be new ip for tun0 in server which is 192.168.3.1
and for the client 192.168.3.6 (stated in server.conf and client.conf)
right now, the client could ping server's internal ip (192.168.1.4) but the server could not ping client's
internal ip (192.168.2.4), and the manual says that i have to enable ip forwarding so the lan from client could
access the lan in server and vice versa, but i don't know how to enable ip forwarding
server.conf
Code:
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 192.168.3.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
route 192.168.2.0 255.255.255.0
client-to-client
push "route 192.168.2.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
client.conf
Code:
client
dev tun
proto udp
remote 222.124.84.21 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/client1.crt
key /etc/openvpn/easy-rsa/keys/client1.key
ns-cert-type server
comp-lzo
verb 3
the iptables-save from server:
Code:
# Generated by iptables-save v1.3.1 on Thu Jul 21 14:38:39 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [108:9240]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j input_int
-A INPUT -i eth0 -j input_ext
-A INPUT -i eth1 -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun0 -j forward_int
-A FORWARD -i eth0 -j forward_ext
-A FORWARD -i eth1 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_int -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 10000 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 1194 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1194 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 26 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 26 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5050 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 5050 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5801 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 5801 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5901 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 5901 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 8080 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 110 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A input_ext -p udp -m udp --dport 10000 -j ACCEPT
-A input_ext -p udp -m udp --dport 1194 -j ACCEPT
-A input_ext -p udp -m udp --dport 26 -j ACCEPT
-A input_ext -p udp -m udp --dport 5050 -j ACCEPT
-A input_ext -p udp -m udp --dport 8080 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Thu Jul 21 14:38:40 2005
btw, if I want to change any of above firewall settings, which file must i edit?
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940
Rep:
on server: you can kick out the line for tcp traffic on port 1194, this is not needed since your ovpn server is listening to udp protocol.
i would set openvpn to use the tap addapter
just change tun to tap in both config files
you enable ipforwarding by
echo 1 > /proc/sys/net/ipv4/ip_forward
disable ipforwarding by replacing the 1 with a 0 (zero)
you need rules in your forwarding table which allows traffic between eth0 eth1 AND tun0 (of if you should chagne from tun to tap, you need rules to allow from eth0 eth1 and tap0)
hi,
i changed the configuration in server.conf and client.conf according to your
suggestion, and i will try it right away,
btw, from the openvpn manual, it says that to use bridging, then i have to
"bridge" the eth0 and tap0, i don't understand about this in linux, as in windows
it's so easy, but, no more windows.
thanks,
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940
Rep:
bridging and routing are 2 different things
when you bridge, you are basically making a switch
eth0 and tap0 do not have the addresses anymore, but the bridge will (this divice is then called br0) have one address.
how it works is really simple and easy to get your head around.
i have used both, bridging and routing in an openvpn environment
successfully
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.