Linode Forum :: OpenVPN not routing?

Linode Forum
Linode Community Forums

FAQ

Search

Members

Register

Login [ Anonymous ]

OpenVPN not routing?

Post new topic Reply to topic

Board index » Linux Community Forums » Linux Networking

Print view

Previous topic | Next topic

Author

Message

zeroturn

Post subject: OpenVPN not routing?

PostPosted: Thu Jul 14, 2011 4:28 pm

Offline

Senior Newbie

Joined: Mon Jun 06, 2011 8:19 pm
Posts: 13

I've followed all of the directions for setting up my Debian linode for OpenVPN and connecting to it successfully (sort of) with my Debian laptop. I can ping and ssh and do whatever from my laptop to the server when the VPN is enabled, but I absolutely cannot get any forwarding to work whatsoever.

I have enabled forwarding on my server and have the default route pushed to the client. I have the proper iptables forwarding and nat entries according to dozens of articles I've read. I've also flushed iptables and used JUST those entries with no change. I also have dnsmasq installed. I am not seeing any logged dropped packets in syslog (all dropped packets are logged) and I'm not seeing any errors in the openvpn log. I use network-manager-openvpn package for the client, but if I use a simple client config it does the same thing anyways.

Please help!

server.conf:

Code:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 192.168.0.0 255.255.0.0
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo no
push "comp-lzo no"
max-clients 5
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 4
mute 10

iptables-save:

Code:

# Generated by iptables-save v1.4.8 on Thu Jul 14 20:24:44 2011
*security
:INPUT ACCEPT [30746:3391345]
:FORWARD ACCEPT [11831:952761]
:OUTPUT ACCEPT [16059:2602360]
COMMIT
# Completed on Thu Jul 14 20:24:44 2011
# Generated by iptables-save v1.4.8 on Thu Jul 14 20:24:44 2011
*raw
:PREROUTING ACCEPT [42893:4407336]
:OUTPUT ACCEPT [16062:2602820]
COMMIT
# Completed on Thu Jul 14 20:24:44 2011
# Generated by iptables-save v1.4.8 on Thu Jul 14 20:24:44 2011
*nat
:PREROUTING ACCEPT [12:703]
:INPUT ACCEPT [3:235]
:OUTPUT ACCEPT [91:5994]
:POSTROUTING ACCEPT [91:5994]
-A POSTROUTING -s 10.8.0.0/24 -j ACCEPT 
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 
COMMIT
# Completed on Thu Jul 14 20:24:44 2011
# Generated by iptables-save v1.4.8 on Thu Jul 14 20:24:44 2011
*mangle
:PREROUTING ACCEPT [28303:2930721]
:INPUT ACCEPT [20954:2286300]
:FORWARD ACCEPT [7340:643881]
:OUTPUT ACCEPT [11488:1613988]
:POSTROUTING ACCEPT [18726:2218125]
COMMIT
# Completed on Thu Jul 14 20:24:44 2011
# Generated by iptables-save v1.4.8 on Thu Jul 14 20:24:44 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [845:115470]
:LOGNDROP - [0:0]
:SPAMLIST - [0:0]
:SPAMLND - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-apache-noscript - [0:0]
:fail2ban-apache-overflows - [0:0]
:fail2ban-pam-generic - [0:0]
:fail2ban-postfix - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache 
-A INPUT -p tcp -m multiport --dports 25,465 -j fail2ban-postfix 
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows 
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos 
-A INPUT -p tcp -j fail2ban-pam-generic 
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i tun+ -j ACCEPT 
-A INPUT -j SPAMLIST 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -j LOGNDROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i tun+ -j ACCEPT 
-A FORWARD -o tun+ -j ACCEPT 
-A FORWARD -s 10.8.0.0/24 -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-port-unreachable 
-A OUTPUT -j SPAMLIST 
-A OUTPUT -p icmp -j ACCEPT 
-A LOGNDROP -p tcp -m limit --limit 6/min -j LOG --log-prefix "Denied IPv4-TCP: " --log-level 7 
-A LOGNDROP -p udp -m limit --limit 6/min -j LOG --log-prefix "Denied IPv4-UDP: " --log-level 7 
-A LOGNDROP -p icmp -m limit --limit 6/min -j LOG --log-prefix "Denied IPv4-ICMP: " --log-level 7 
-A LOGNDROP -j DROP 
-A SPAMLIST -s 173.242.122.87/32 -j SPAMLND 
-A SPAMLIST -s 94.250.93.68/32 -j SPAMLND 
-A SPAMLIST -s 94.250.77.220/32 -j SPAMLND 
-A SPAMLIST -s 85.167.116.39/32 -j SPAMLND 
-A SPAMLIST -s 88.90.64.39/32 -j SPAMLND 
-A SPAMLIST -s 174.127.65.56/32 -j SPAMLND 
-A SPAMLIST -s 85.167.118.225/32 -j SPAMLND 
-A SPAMLIST -s 94.250.77.220/32 -j SPAMLND 
-A SPAMLIST -s 206.214.2.230/32 -j SPAMLND 
-A SPAMLIST -s 219.154.45.50/32 -j SPAMLND 
-A SPAMLIST -s 84.202.88.9/32 -j SPAMLND 
-A SPAMLIST -j RETURN 
-A SPAMLND -m limit --limit 6/min -j LOG --log-prefix "SPAMLIST: " --log-level 7 
-A SPAMLND -j DROP 
-A fail2ban-apache -j RETURN 
-A fail2ban-apache-noscript -j RETURN 
-A fail2ban-apache-overflows -j RETURN 
-A fail2ban-pam-generic -j RETURN 
-A fail2ban-postfix -j RETURN 
-A fail2ban-ssh -j RETURN 
-A fail2ban-ssh-ddos -j RETURN 
COMMIT
# Completed on Thu Jul 14 20:24:44 2011

Top

Profile

Reply with quote

Post new topic Reply to topic

Board index » Linux Community Forums » Linux Networking

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

RSS