I configured openvpn server on openwrt. When I try to connect to the vpn server, ufw blocks traffic from my router:
Sep 29 19:22:58 debian nm-openvpn[11139]: OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 30 2017
Sep 29 19:22:58 debian nm-openvpn[11139]: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
Sep 29 19:22:59 debian nm-openvpn[11139]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 29 19:22:59 debian nm-openvpn[11139]: TCP/UDP: Preserving recently used remote address: [AF_INET]my-public-ip:1194
Sep 29 19:22:59 debian nm-openvpn[11139]: UDP link local: (not bound)
Sep 29 19:22:59 debian nm-openvpn[11139]: UDP link remote: [AF_INET]my-public-ip:1194
Sep 29 19:22:59 debian nm-openvpn[11139]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Sep 29 19:22:59 debian nm-openvpn[11139]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sep 29 19:22:59 debian kernel: [352532.393466] [UFW BLOCK] IN=wlan0 OUT= MAC=mac-address SRC=10.0.10.1 DST=10.0.10.100 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=9547 DF PROTO=UDP SPT=1194 DPT=53955 LEN=34
Sep 29 19:23:01 debian kernel: [352534.424641] [UFW BLOCK] IN=wlan0 OUT= MAC=mac-address SRC=10.0.10.1 DST=10.0.10.100 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=9708 DF PROTO=UDP SPT=1194 DPT=53955 LEN=22
Sep 29 19:23:01 debian kernel: [352534.545230] [UFW BLOCK] IN=wlan0 OUT= MAC=mac-address SRC=10.0.10.1 DST=10.0.10.100 LEN=50 TOS=0x00 PREC=0x00 TTL=64 ID=9709 DF PROTO=UDP SPT=1194 DPT=53955 LEN=30
Sep 29 19:23:05 debian kernel: [352538.484704] [UFW BLOCK] IN=wlan0 OUT= MAC=mac-address SRC=10.0.10.1 DST=10.0.10.100 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=9838 DF PROTO=UDP SPT=1194 DPT=53955 LEN=22
Sep 29 19:23:05 debian kernel: [352538.902302] [UFW BLOCK] IN=wlan0 OUT= MAC=mac-address SRC=10.0.10.1 DST=10.0.10.100 LEN=50 TOS=0x00 PREC=0x00 TTL=64 ID=9872 DF PROTO=UDP SPT=1194 DPT=53955 LEN=30
What I don't understand is when I connect to our company openvpn I get connected without any issues. Here are the rules:
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
and here are the added rules:
# ufw show added
Added user rules (see 'ufw status' for running firewall):
(None)
Once again, I can connect successfully to another vpn server. When I disable the ufw I can connect to my openvpn without dns, unless I activate the ufw and add the following rules:
# ufw allow proto udp from 10.0.10.1
# ufw allow dns
But I am still wondering why does work with one openvpn server and doesn't work with the other?
I am running debian stretch:
# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux stable-updates (sid)
Release: stable-updates
Codename: sid
# uname -a
Linux debian 4.12.8 #1 SMP Sat Aug 19 16:04:08 CEST 2017 x86_64 GNU/Linux
here is my openvn server config:
config openvpn 'myvpn'
option enabled '1'
option verb '3'
option port '1194'
option proto 'udp'
option dev 'tun'
option server '10.8.0.0 255.255.255.0'
option keepalive '10 120'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh2048.pem'
option log '/tmp/openvpn.log'
option status '/var/log/openvpn-status.log'
option client_to_client '1'
option persist_tun '1'
option persist_key '1'
list push 'dhcp-option DNS 10.0.10.1'
list push 'redirect-gateway def1'
list push 'route 10.0.10.0 255.255.255.0'
my firewall:
# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option name 'wlan'
option network 'wlan'
option output 'ACCEPT'
option input 'ACCEPT'
config forwarding
option dest 'wan'
option src 'wlan'
config rule
option src 'wlan'
option dest_ip '10.0.10.1'
option dest_port '80'
option target 'DROP'
option name 'NO WLAN TO ROUTER'
config rule
option src 'wlan'
option name 'NO WLAN TO ROUTER'
option dest_ip '10.0.30.1'
option dest_port '80'
option target 'DROP'
config rule
option src 'wlan'
option name 'NO WLAN SSH'
option dest_ip '10.0.10.1'
option dest_port '22'
option target 'DROP'
config rule
option enabled '1'
option src 'wlan'
option name 'NO WLAN SSH'
option dest_ip '10.0.30.1'
option dest_port '22'
option target 'DROP'
config rule 'Allow_OpenVPN_Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '1194'
config zone 'vpn'
option name 'vpn'
option network 'vpn0'
option input 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option forward 'REJECT'
config forwarding 'vpn_forwarding_lan_in'
option src 'vpn'
option dest 'lan'
config forwarding 'vpn_forwarding_lan_out'
option src 'lan'
option dest 'vpn'
config forwarding 'vpn_forwarding_wan'
option src 'vpn'
option dest 'wan'
my network:
# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd64:4b11:c562::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.0.10.1'
option gateway '10.0.10.1'
option broadcast '10.0.10.255'
option _orig_ifname 'eth0.1 radio0.network1'
option _orig_bridge 'true'
option ifname 'eth0 eth0.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_dev'
option name 'eth0.2'
option macaddr '84:16:f9:e8:a0:57'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 3 4'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 1 2'
config interface 'wlan'
option type 'bridge'
option proto 'static'
option ifname 'eth0.3'
option ipaddr '10.0.30.1'
option netmask '255.255.255.0'
option gateway '10.0.30.1'
option broadcast '10.0.30.255'
config interface 'vpn0'
option ifname 'tun0'
option _orig_ifname 'tun0'
option _orig_bridge 'false'
option proto 'none'
option auto '1'
and the log file:
# tail -f /tmp/openvpn.log
Fri Sep 29 22:34:40 2017 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Sep 29 22:34:40 2017 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Sep 29 22:34:40 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Sep 29 22:34:40 2017 Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Sep 29 22:34:40 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Fri Sep 29 22:34:40 2017 UDPv4 link remote: [AF_UNSPEC]
Fri Sep 29 22:34:40 2017 MULTI: multi_init called, r=256 v=256
Fri Sep 29 22:34:40 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Fri Sep 29 22:34:40 2017 Initialization Sequence Completed
Fri Sep 29 22:42:48 2017 10.0.10.100:56804 TLS: Initial packet from [AF_INET]10.0.10.100:56804, sid=63fbb5fe 23eba2ad
Fri Sep 29 22:43:48 2017 10.0.10.100:56804 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 29 22:43:48 2017 10.0.10.100:56804 TLS Error: TLS handshake failed
Fri Sep 29 22:43:48 2017 10.0.10.100:56804 SIGUSR1[soft,tls-error] received, client-instance restarting
Does somebody have an explanation? I appreciate it. Thanks