3

With iptables cleaned out using the following, my OpenVPN client fires right up with no errors:

iptables -P INPUT   ACCEPT
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD ACCEPT
iptables -F

As soon as I issue iptables-restore to load rules.v4 [below], I get the following error:

Wed Sep 11 02:09:30 2019 UDP link local:  (not bound)
Wed Sep 11 02:09:30 2019 UDP link remote: [AF_INET]188.120.224.182:1194

Wed Sep 11 02:09:30 2019 write UDP: Operation not permitted (code=1)
Wed Sep 11 02:09:32 2019 write UDP: Operation not permitted (code=1)
Wed Sep 11 02:09:37 2019 write UDP: Operation not permitted (code=1)

These configs work on an identical server with the same iptables version and Debian kernel:

  • /etc/openvpn/server.conf 
    client
remote 188.120.200.100
dev tun
nobind
tls-client
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/tornado.com.crt
key /etc/openvpn/client/tornado.com.key
comp-lzo
log-append /var/log/openvpn/openvpn.log
verb 3
ping-restart 10
#ifconfig 10.9.8.2 10.9.8.1
#persist-key
#persist-tun

  • /etc/iptables/rules.v4

    # Generated by iptables-save v1.6.0 on Sun Jul 14 02:18:04 2019

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT                  -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable

-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED       -j ACCEPT

-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED  -m tcp --dport 2222 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED  -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED  -m tcp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED      -m udp --sport 53   -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED      -m tcp --sport 53   -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED      -m tcp --sport 80   -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED      -m tcp --sport 443  -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED      -m udp --sport 695  -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED      -m tcp --sport 3128 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED      -m tcp --sport 6667 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED      -m tcp --sport 9001 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED      -m tcp --sport 9030 -j ACCEPT

-A INPUT -i tun0                -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG    --log-prefix "iptables_INPUT_denied: "
-A INPUT                        -j REJECT --reject-with icmp-port-unreachable

-A FORWARD                -i tun0                                       -j ACCEPT
-A FORWARD -s 10.9.8.0/24 -i tun0 -o eth0                               -j ACCEPT
-A FORWARD                        -m state  --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.9.8.26/32 -p tcp -m tcp    --dport 80                  -j ACCEPT
-A FORWARD                        -m limit  --limit 3/min               -j LOG    --log-prefix "iptables_FORWARD_denied: "
-A FORWARD                                                              -j REJECT --reject-with icmp-port-unreachable

-A OUTPUT -o lo   -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED     -m tcp --sport 2222 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED     -m udp --sport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED     -m tcp --sport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53   -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53   -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80   -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443  -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 695  -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 6667 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9001 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9030 -j ACCEPT

-A OUTPUT -o tun0                 -j ACCEPT
-A OUTPUT -m limit --limit 3/min  -j LOG    --log-prefix "iptables_OUTPUT_denied: "
-A OUTPUT                         -j REJECT --reject-with icmp-port-unreachable

COMMIT

# Completed on Sun Jul 14 02:18:04 2019
# Generated by iptables-save v1.6.0 on Sun Jul 14 02:18:04 2019
*nat
:PREROUTING ACCEPT [4915297:1580921207]
:INPUT ACCEPT [5132:265999]
:OUTPUT ACCEPT [128157:9331722]
:POSTROUTING ACCEPT [46763:3069634]

-A PREROUTING                   -i eth0 -p tcp -m tcp --dport 80    -j DNAT --to-destination 10.9.8.26

-A POSTROUTING  -s 10.9.8.0/24  -o eth0                             -j MASQUERADE
-A POSTROUTING  -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 80    -j SNAT --to-source 188.120.231.206
-A POSTROUTING  -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 80    -j SNAT --to-source 188.120.231.207
-A POSTROUTING  -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 443   -j SNAT --to-source 188.120.231.206
-A POSTROUTING  -s 10.9.8.26/32 -o eth0 -p udp -m udp --dport 695   -j SNAT --to-source 188.120.231.206
-A POSTROUTING  -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 3128  -j SNAT --to-source 188.120.231.206
-A POSTROUTING  -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 6667  -j SNAT --to-source 188.120.231.206
-A POSTROUTING  -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 9001  -j SNAT --to-source 188.120.231.206
-A POSTROUTING  -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 9030  -j SNAT --to-source 188.120.231.206

COMMIT
# Completed on Sun Jul 14 02:18:04 2019

How do I get my config to work?

Improve this question
5
  • So the IPTABLES configuration blocks many outgoing ports based on source port or destination port. You're using "nobind" in your openvpn client, which means it will select a random local port to use. What's the destination port on the remote server?
    – Iyad K
    Commented Sep 11, 2019 at 2:00
  • @Iyad K 1194 but the error says (local)
    – Nix
    Commented Sep 11, 2019 at 15:11
  • Can you clarify if the IPTABLES config above is on the server or the client? So the destination port is 1194 protocol UDP. Maybe I missed something but your rules don't allow egress to 1194 on UDP if those rules are for a client. This rule allows source port to be 1194 but not destination: -A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT . This rule rejects everything that isn't in the list of approved rules: -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
    – Iyad K
    Commented Sep 13, 2019 at 19:18
  • @lyad L that is a server firewall config
    – Nix
    Commented Sep 13, 2019 at 19:59
  • @Iyad K I tried to comment out the line with REJECT --reject-with icmp-port-unreachable and then iptables-restore, same issue.
    – Nix
    Commented Sep 13, 2019 at 21:12

1 Answer 1

Reset to default
-1

First of all, your openvpn instance is acting as a client (even if the conf file is named "server.conf").

In order to get it work, you need to remove the nobind parameter from the configuration file.

Improve this answer
1
  • 1
    The OP stated it was a client config, and it's more than just that one line that makes it a client config: client and tls-client do as well.
    – JW0914
    Commented May 13, 2020 at 13:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .