VPN problem

Connection sharing, Firewall, Samba..etc
Forum rules
Before you post please read how to get help
Post Reply
benc
Level 1
Level 1
Posts: 16
Joined: Wed Dec 13, 2017 7:48 pm

VPN problem

Post by benc » Mon Dec 18, 2017 4:54 pm

I got a VPN from a commercial company. They didn't have a Linux client so I used their OpenVPN settings. I also got code from the VPN to lockup the data transfer if the VPN drops (I have a script for this code to run on top of the GUFW firewall). Twice now, while using a VPN session, I dropped out of fullscreen to see that my VPN was no longer engaged and my data transfer to the web did not lockup. This is on a verizon wi-fi service.

Here's the firewall shell script file:

Code: Select all

#! /bin/bash

# block outgoing connections by default: 
iptables -P OUTPUT DROP 
echo "1" 
 # And then allow traffic to dns and openvpn servers 
iptables -A OUTPUT -p udp -m multiport --dport 53,1194 -j ACCEPT 
echo "2"
iptables -A OUTPUT -p tcp -m multiport --dport 53,443 -j ACCEPT
echo "3"
 # Allow outgoing connections on vpn interface 
iptables -A OUTPUT -o tun+ -j ACCEPT 
echo "4"
Any ideas what I'm doing wrong?

User avatar
greerd
Level 5
Level 5
Posts: 986
Joined: Sat Jul 31, 2010 10:58 am
Location: Nova Scotia, Canada

Re: VPN problem

Post by greerd » Mon Dec 18, 2017 5:43 pm

Hi benc and welcome to the forum.

I'm not even a novice at reading iptables but I can think of a couple of points.

First, iptables needs elevated privileges to edit, so try running your script as root.
Second, to see if the script worked (actually added the rules) run in a terminal

Code: Select all

sudo iptables -S
and see if they're in there.

From what I do glean from your script, once you run the script you will loose any access to your local lan. If this is an issue I might try setting you up using ufw rules instead of editing iptables directly.

benc
Level 1
Level 1
Posts: 16
Joined: Wed Dec 13, 2017 7:48 pm

Re: VPN problem

Post by benc » Mon Dec 18, 2017 6:09 pm

greerd wrote:Hi benc and welcome to the forum.

I'm not even a novice at reading iptables but I can think of a couple of points.

First, iptables needs elevated privileges to edit, so try running your script as root.
Second, to see if the script worked (actually added the rules) run in a terminal

Code: Select all

sudo iptables -S
and see if they're in there.

From what I do glean from your script, once you run the script you will loose any access to your local lan. If this is an issue I might try setting you up using ufw rules instead of editing iptables directly.

Thanks for the troubleshooting direction. I do run the script under "sudo" manually before launching the VPN. Here's the before and after:

Firewall code (GUFW generated at boot)

Code: Select all

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

After running script (changes indicated)

Code: Select all

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A OUTPUT -p udp -m multiport --dports 53,1194 -j ACCEPT        <-------------------------------------------------------------
-A OUTPUT -p tcp -m multiport --dports 53,443 -j ACCEPT           <-------------------------------------------------------------
-A OUTPUT -o tun+ -j ACCEPT                                                   <-------------------------------------------------------------
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

I'm not knowledgable about this code either. Anyone see any problems?

User avatar
greerd
Level 5
Level 5
Posts: 986
Joined: Sat Jul 31, 2010 10:58 am
Location: Nova Scotia, Canada

Re: VPN problem

Post by greerd » Mon Dec 18, 2017 8:56 pm

The way i understand the firewall, kernel net filter module (which is the is core of the firewall) is controlled/configured by iptables, so iptables is the deepest most basic level a user can use to control the firewall. UFW is a more user friendly app that can be used to setup rules in iptables and GUFW is a gui frontend to UFW that can setup basic UFW rules.

With that in mind, if you want to setup iptables rules directly via your script, you should probably disable GUFW (hence UFW) completely and just let iptables rules work on their own without any additional input from UFW.

That's how my vpn gui works when I set the Network Lock, it disables UFW and edits iptables directly.

User avatar
greerd
Level 5
Level 5
Posts: 986
Joined: Sat Jul 31, 2010 10:58 am
Location: Nova Scotia, Canada

Re: VPN problem

Post by greerd » Mon Dec 18, 2017 9:34 pm

[quote="benc"]

Code: Select all

#! /bin/bash

# block outgoing connections by default: 
iptables -P OUTPUT DROP 
echo "1" 
 # And then allow traffic to dns and openvpn servers 
iptables -A OUTPUT -p udp -m multiport --dport 53,1194 -j ACCEPT 
echo "2"
iptables -A OUTPUT -p tcp -m multiport --dport 53,443 -j ACCEPT
echo "3"
 # Allow outgoing connections on vpn interface 
iptables -A OUTPUT -o tun+ -j ACCEPT 
echo "4"
Actually I must of been asleep when I looked over your script, it doesn't specify an ip address so all ip addresses can be used, for example, the line that allows output via tcp on port 443 will allow any https address, I wouldn't call this a network lock at all.

If you have the ip address of you vpn server you should be able to edit the scrips two lines so that they include the ip address.

iptables -A OUTPUT -d xxx.xxx.xxx.xxx/32 -p udp -m multiport --dport 53,1194 -j ACCEPT
iptables -A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m multiport --dport 53,443 -j ACCEPT

where xxx.xxx.xxx.xxx is your vpn servers address and /32 is the network mask.

benc
Level 1
Level 1
Posts: 16
Joined: Wed Dec 13, 2017 7:48 pm

Re: VPN problem

Post by benc » Sun Dec 24, 2017 2:36 pm

I kept researching this trying to make some sense of it. I was on a forum and one post talked about the sequence of adding firewall rules for the VPN to shutdown on disconnect. The poster talked about modifying the firewall before or after engaging the VPN. All of my failures had occurred when I was changing the firewall rules before engaging the VPN. I started my firewall shell script after starting the VPN -- and it worked -- on two different machines. I don't have the first clue about why it works.

Seems like the OpenVPN code needs a few tweeks to stop the data stream when the VPN drops. As it is, a current code is not failing in a safe way .....

Pippin
Level 3
Level 3
Posts: 159
Joined: Wed Dec 13, 2017 11:14 am
Location: NL/DE/TH

Re: VPN problem

Post by Pippin » Sun Dec 24, 2017 4:02 pm

Code: Select all

Seems like the OpenVPN code needs a few tweeks to stop the data stream when the VPN drops.
A kill switch not up to OpenVPN.
You can put your rules via up/down script in OpenVPN config file.
See --up cmd and --down cmd in manual OpenVPN:
https://community.openvpn.net/openvpn/w ... n24ManPage
"I'm not in this world to live up your expectations, neither are you here to live up to mine.”
F.P. & P.T.

Post Reply

Return to “Other networking topics”