Problems with Core 70 and OpenVPN N2N

Michael Tremer michael.tremer at ipfire.org
Fri Jul 12 13:24:23 CEST 2013


See? Firewall rules are fine.

On Fri, 2013-07-12 at 11:04 +0200, Erik K. wrote:
> Hi Michael,
> here are the ovpn chains
> 
> Chain OVPNFORWARD (1 references)
> target     prot opt source               destination         
> ACCEPT     all  --  anywhere             anywhere            
> 
> Chain OVPNINPUT (1 references)
> target     prot opt source               destination         
> ACCEPT     udp  --  anywhere             anywhere             udp dpt:carrius-rshell
> ACCEPT     all  --  anywhere             anywhere            
> ACCEPT     udp  --  anywhere             anywhere             udp dpt:5329
> 
> Chain OVPN_BLUE_FORWARD (1 references)
> target     prot opt source               destination         
> ACCEPT     all  --  anywhere             anywhere            
> 
> Chain OVPN_BLUE_INPUT (1 references)
> target     prot opt source               destination         
> ACCEPT     udp  --  anywhere             anywhere             udp dpt:carrius-rshell
> ACCEPT     all  --  anywhere             anywhere            
> 
> and the rest of iptables -L
> 
> Chain INPUT (policy DROP)
> target     prot opt source               destination         
> BADTCP     all  --  anywhere             anywhere            
> CUSTOMINPUT  all  --  anywhere             anywhere            
> GUARDIAN   all  --  anywhere             anywhere            
> IPTVINPUT  all  --  anywhere             anywhere            
> GUIINPUT   all  --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
> IPSECINPUT  all  --  anywhere             anywhere            
> OPENSSLVIRTUAL  all  --  anywhere             anywhere             /* OPENSSLVIRTUAL INPUT */
> ACCEPT     all  --  anywhere             anywhere             state NEW
> DROP       all  --  127.0.0.0/8          anywhere             state NEW
> DROP       all  --  anywhere             127.0.0.0/8          state NEW
> ACCEPT    !icmp --  anywhere             anywhere             state NEW
> DHCPBLUEINPUT  all  --  anywhere             anywhere            
> OVPNINPUT  all  --  anywhere             anywhere            
> OVPN_BLUE_INPUT  all  --  anywhere             anywhere            
> OPENSSLPHYSICAL  all  --  anywhere             anywhere            
> WIRELESSINPUT  all  --  anywhere             anywhere             state NEW
> REDINPUT   all  --  anywhere             anywhere            
> XTACCESS   all  --  anywhere             anywhere             state NEW
> LOG        all  --  anywhere             anywhere             limit: avg 10/min burst 5 LOG level warning prefix "DROP_INPUT "
> DROP       all  --  anywhere             anywhere             /* DROP_INPUT */
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination         
> BADTCP     all  --  anywhere             anywhere            
> TCPMSS     tcp  --  anywhere             anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
> GUARDIAN   all  --  anywhere             anywhere            
> CUSTOMFORWARD  all  --  anywhere             anywhere            
> IPTVFORWARD  all  --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
> IPSECFORWARD  all  --  anywhere             anywhere            
> OPENSSLVIRTUAL  all  --  anywhere             anywhere             /* OPENSSLVIRTUAL FORWARD */
> OUTGOINGFWMAC  all  --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             anywhere             state NEW
> DROP       all  --  127.0.0.0/8          anywhere             state NEW
> OVPNFORWARD  all  --  anywhere             anywhere            
> OVPN_BLUE_FORWARD  all  --  anywhere             anywhere            
> DROP       all  --  anywhere             127.0.0.0/8          state NEW
> ACCEPT     all  --  anywhere             anywhere             state NEW
> ACCEPT     all  --  anywhere             anywhere             state NEW
> WIRELESSFORWARD  all  --  anywhere             anywhere             state NEW
> REDFORWARD  all  --  anywhere             anywhere            
> DMZHOLES   all  --  anywhere             anywhere             state NEW
> PORTFWACCESS  all  --  anywhere             anywhere             state NEW
> UPNPFW     all  --  anywhere             anywhere             state NEW
> LOG        all  --  anywhere             anywhere             limit: avg 10/min burst 5 LOG level warning prefix "DROP_OUTPUT "
> DROP       all  --  anywhere             anywhere             /* DROP_OUTPUT */
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> CUSTOMOUTPUT  all  --  anywhere             anywhere            
> OUTGOINGFW  all  --  anywhere             anywhere            
> IPSECOUTPUT  all  --  anywhere             anywhere            
> 
> Chain BADTCP (2 references)
> target     prot opt source               destination         
> RETURN     all  --  anywhere             anywhere            
> PSCAN      tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
> PSCAN      tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE
> PSCAN      tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN
> PSCAN      tcp  --  anywhere             anywhere             tcpflags: SYN,RST/SYN,RST
> PSCAN      tcp  --  anywhere             anywhere             tcpflags: FIN,SYN/FIN,SYN
> NEWNOTSYN  tcp  --  anywhere             anywhere             tcpflags:! FIN,SYN,RST,ACK/SYN state NEW
> 
> Chain CUSTOMFORWARD (1 references)
> target     prot opt source               destination         
> ACCEPT     udp  --  10.75.18.0/24        192.168.110.1        udp dpt:openvpn
> 
> Chain CUSTOMINPUT (1 references)
> target     prot opt source               destination         
> ACCEPT     tcp  --  192.168.75.2         ipfire-bbach.local   tcp dpt:snpp
> ACCEPT     tcp  --  192.168.110.3        ipfire-bbach.local   tcp dpt:snpp
> ACCEPT     tcp  --  10.1.2.2             ipfire-bbach.local   tcp dpt:snpp
> ACCEPT     tcp  --  192.168.75.2         ipfire-bbach.local   tcp dpt:snpp
> REJECT     tcp  --  anywhere             ipfire-bbach.local   tcp dpt:snpp reject-with icmp-port-unreachable
> ACCEPT     udp  --  10.75.18.0/24        192.168.110.1        udp dpt:openvpn
> DROP       all  --  anywhere             192.168.220.255     
> DROP       all  --  anywhere             all-systems.mcast.net 
> DROP       all  --  anywhere             192.168.2.255       
> 
> Chain CUSTOMOUTPUT (1 references)
> target     prot opt source               destination         
> 
> Chain DHCPBLUEINPUT (1 references)
> target     prot opt source               destination         
> ACCEPT     tcp  --  anywhere             anywhere             tcp spt:bootpc dpt:bootps
> ACCEPT     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps
> 
> Chain DMZHOLES (2 references)
> target     prot opt source               destination         
> 
> Chain GUARDIAN (2 references)
> target     prot opt source               destination         
> 
> Chain GUIINPUT (1 references)
> target     prot opt source               destination         
> ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
> 
> Chain IPSECFORWARD (1 references)
> target     prot opt source               destination         
> 
> Chain IPSECINPUT (1 references)
> target     prot opt source               destination         
> 
> Chain IPSECOUTPUT (1 references)
> target     prot opt source               destination         
> 
> Chain IPTVFORWARD (1 references)
> target     prot opt source               destination         
> 
> Chain IPTVINPUT (1 references)
> target     prot opt source               destination         
> 
> Chain LOG_DROP (0 references)
> target     prot opt source               destination         
> LOG        all  --  anywhere             anywhere             limit: avg 10/min burst 5 LOG level warning
> DROP       all  --  anywhere             anywhere            
> 
> Chain LOG_REJECT (0 references)
> target     prot opt source               destination         
> LOG        all  --  anywhere             anywhere             limit: avg 10/min burst 5 LOG level warning
> REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
> 
> Chain NEWNOTSYN (1 references)
> target     prot opt source               destination         
> LOG        all  --  anywhere             anywhere             limit: avg 10/min burst 5 LOG level warning prefix "DROP_NEWNOTSYN "
> DROP       all  --  anywhere             anywhere             /* DROP_NEWNOTSYN */
> 
> Chain OPENSSLPHYSICAL (1 references)
> target     prot opt source               destination         
> 
> Chain OPENSSLVIRTUAL (2 references)
> target     prot opt source               destination         
> 
> Chain OUTGOINGFW (1 references)
> target     prot opt source               destination         
> 
> Chain OUTGOINGFWMAC (1 references)
> target     prot opt source               destination         
>           
> 
> Chain PORTFWACCESS (1 references)
> target     prot opt source               destination         
> 
> Chain PSCAN (5 references)
> target     prot opt source               destination         
> LOG        tcp  --  anywhere             anywhere             limit: avg 10/min burst 5 /* DROP_TCP PScan */ LOG level warning prefix "DROP_TCP Scan "
> LOG        udp  --  anywhere             anywhere             limit: avg 10/min burst 5 /* DROP_UDP PScan */ LOG level warning prefix "DROP_UDP Scan "
> LOG        icmp --  anywhere             anywhere             limit: avg 10/min burst 5 /* DROP_ICMP PScan */ LOG level warning prefix "DROP_ICMP Scan "
> LOG        all  -f  anywhere             anywhere             limit: avg 10/min burst 5 /* DROP_FRAG PScan */ LOG level warning prefix "DROP_FRAG Scan "
> DROP       all  --  anywhere             anywhere             /* DROP_PScan */
> 
> Chain REDFORWARD (1 references)
> target     prot opt source               destination         
> ACCEPT     all  --  anywhere             anywhere            
> 
> Chain REDINPUT (1 references)
> target     prot opt source               destination         
> 
> Chain UPNPFW (1 references)
> target     prot opt source               destination         
> 
> Chain WIRELESSFORWARD (1 references)
> target     prot opt source               destination         
> ACCEPT     all  --  anywhere             anywhere             MAC 00:17:F2:CD:C9:8B
> DMZHOLES   all  --  anywhere             anywhere             MAC 00:17:F2:CD:C9:8B
> LOG        all  --  anywhere             anywhere             LOG level warning prefix "DROP_Wirelessforward"
> DROP       all  --  anywhere             anywhere             /* DROP_Wirelessforward */
> 
> Chain WIRELESSINPUT (1 references)
> target     prot opt source               destination         
> ACCEPT     all  --  anywhere             anywhere             MAC 00:17:F2:CD:C9:8B
> LOG        all  --  anywhere             anywhere             LOG level warning prefix "DROP_Wirelessinput"
> DROP       all  --  anywhere             anywhere             /* DROP_Wirelessinput */
> 
> Chain XTACCESS (1 references)
> target     prot opt source               destination         
> ACCEPT     tcp  --  anywhere             192.168.2.2          tcp dpt:ident
> 
>             
> Erik
> 
> 
> Am 12.07.2013 um 00:06 schrieb Michael Tremer:
> 
> > Could you provide the iptables ruleset that is loaded?
> > 
> > This should not be caused by the latest NAT changes in core update 70.
> > But that's just a wild guess.
> > 
> > -Michael
> > 
> > On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote:
> >> Hi all,
> >> have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection. 
> >> 
> >> The infrastructure:
> >> 
> >> IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <-->  (local) IPFire
> >> 
> >> So both sides with double NAT. The log messages gives me the following back
> >> 
> >> Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329
> >> Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329
> >> Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4)
> >> have never seen this message (in the middle) before...
> >> 
> >> So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated.
> >> 
> >> Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809'
> >> Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329
> >> Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting
> >> 
> >> 
> >> Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 .
> >> 
> >> May some one have an idea what´s causing this problem ?
> >> 
> >> 
> >> Greetings 
> >> 
> >> 
> >> Erik
> >> 
> >> 
> >> _______________________________________________
> >> Development mailing list
> >> Development at lists.ipfire.org
> >> http://lists.ipfire.org/mailman/listinfo/development
> > 
> > 
> > _______________________________________________
> > Development mailing list
> > Development at lists.ipfire.org
> > http://lists.ipfire.org/mailman/listinfo/development
> 
> _______________________________________________
> Development mailing list
> Development at lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development



More information about the Development mailing list