[SOLVED] Configuring Shorewall Firewall to Allow OpenVPN Con

[SOLVED] Configuring Shorewall Firewall to Allow OpenVPN Con

Postby linuxbrad » Jan 25th, '19, 19:30

Hello,

I recently purchased a subscription to NordVPN and now I am trying to set up a VPN connection on my Mageia 6.1 laptop. I am following their tutorial, "How can I connect to NordVPN using Linux Terminal?", and have managed to set up a connection under the tun0 interface. However, I have no Internet access once connected to the VPN. After a couple of hours of troubleshooting with a friend, we determined that Shorewall is blocking the OpenVPN connection. Shutting off the Shorewall service, via the Mageia Control Centre, allows connectivity but then I have an issue with DNS. After shutting off Shorewall, I can
Code: Select all
ping 8.8.8.8


but I can't

Code: Select all
ping google.com


NordVPN provides some DNS servers to use in this tutorial: "Change your DNS servers on Linux" but I'm not sure if those instructions will allow me to change or add these DNS servers to my configuration permanently. When I open /etc/resolv.conf I see the following:

Code: Select all
[bradfonseca@localhost etc]$ cat resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.176.251
nameserver 192.168.176.252
nameserver 192.168.176.253


I don't want to edit resolv.conf every time I reboot.

With all that background, I want to ask the following questions:

1. How do configure Shorewall to allow a connection to a VPN with OpenVPN? I really want to leave Shorewall running and just open it a little to allow this connection.

2. How do I add or replace the DNS servers in resolv.conf with the one NordVPN recommends?
Code: Select all
nameserver 103.86.96.100
nameserver 103.86.99.100


Thanks in advance for the help.

Brad
Last edited by linuxbrad on Jan 29th, '19, 18:15, edited 1 time in total.
--
Brad Fonseca
XMPP: brad.fonseca@blah.im
XMPP (alt): brad.fonseca@xmpp.dk
User avatar
linuxbrad
 
Posts: 30
Joined: May 1st, '13, 04:36

Re: Configuring Shorewall Firewall to Allow OpenVPN Connecti

Postby jiml8 » Jan 25th, '19, 23:56

If you start the Mageia Control Center, then select Security, then "Set up your personal firewall" then click on the "Advanced" button, you will get to a requester that lets you enter ports and protocols that are to be allowed. You need to enter your ports for OpenVPN here. Offhand, I don't recall what they are, so you need to check on that. The syntax goes like this:
Code: Select all
9001:9030/tcp 153/udp

and so forth. Leave a space (not a comma) between groups. Portranges are startport:endport.

As for your DNS, your default DNS are all being provided on your LAN. In fact your configuration looks peculiar, as if you have three DNS servers on your LAN. You might, but I doubt it. Typically, your local router is the only DNS server you will have, if you choose to use it. Once you have OpenVPN up and running you might not be able to connect to your LAN at all, depending on how your provider sets things up.

I usually set up a vlan for the VPN. I connect locally over my LAN then connect to the internet via the VPN.

As for shorewall, I used it for a long time. I concluded that it was much too big a PITA for me. It is great for the typical user, but when you start doing advanced things it gets in the way. I scrapped it and wrote my own firewall. My firewall suits my purposes perfectly, is easy enough to modify (which shorewall surely isn't) and is comprehensible (while shorewall requires a lot of study of shorewall, in addition to understanding iptables).

For the record, in my book, vlans and VPNs are getting into "advanced things". Shorewall will handle OpenVPN easily enough, but it will begin to be painful when you try to set up a vlan.
jiml8
 
Posts: 1025
Joined: Jul 7th, '13, 18:09

Re: Configuring Shorewall Firewall to Allow OpenVPN Connecti

Postby martinw » Jan 27th, '19, 02:05

1. As Jim says, start the Mageia Control Centre, then select Security, then "Set up your personal firewall", but you need to do this when the tun0 interface exists, i.e. when you have the VPN running. Select whatever ports you want to open (note this is enabling inbound connections, not outbound connections, so you don't really need to enable anything). I don't believe you need anything special for the VPN itself - I don't. After clicking on OK, and going through the screen that lets you set up the interactive firewall options, you get a screen that lets you choose which interface(s) this applies to. You should now see the option to include the tun0 interface.

I don't know for sure, but I don't think you can set different configurations for each interface. I don't know if this is a limitation of the GUI, or of shorewall itself.

2. I assume you have a configuration file for the NordVPN in /etc/openvpn. Add the following lines to the configuration file
Code: Select all
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh

Now the /etc/openvpn/update-resolv-conf.sh script will get executed each time you start or stop that openvpn service. If the NordVPN is serving you an IP address via DHCP, it should also be providing the DNS information in the DHCP messages. In that case you can use
update-resolv-conf.txt
(1.42 KiB) Downloaded 29 times
(renaming .txt to .sh).
martinw
 
Posts: 514
Joined: May 14th, '11, 10:59

Re: Configuring Shorewall Firewall to Allow OpenVPN Connecti

Postby linuxbrad » Jan 28th, '19, 21:14

martinw wrote:2. I assume you have a configuration file for the NordVPN in /etc/openvpn.


Thanks for your response. I think I've screwed something up. I don't have a configuration file under /etc/openvpn/. Instead, I have been following their tutorial, "How can I connect to NordVPN using Linux Terminal?", and was able to set up a connection under the tun0 interface. Now, tun0 doesn't come up properly. I've attached a text file with the messages I get when I use the command
Code: Select all
sudo openvpn ca124.nordvpn.com.udp1194.ovpn

to connect. The messages that look different happen after I hit Crtl-C to break the connection. There are route errors. The only thing I did was to try to set the DNS servers manually for tun0 under the Network Centre. After I did this, tun0 refuses to come up properly. Even when I tried to clear out the setting it's still an issue.

I'm grasping at straws. Thanks in advance for your help.

Brad
Attachments
net_centre_settings.png
Network Centre settings GUI
net_centre_settings.png (28.13 KiB) Viewed 544 times
ca124.nordvpn.com.udp1194.ovpn.txt
CA124 OVPN file
(2.78 KiB) Downloaded 22 times
ca124_udp_msg.txt
CLI messages
(4.91 KiB) Downloaded 21 times
--
Brad Fonseca
XMPP: brad.fonseca@blah.im
XMPP (alt): brad.fonseca@xmpp.dk
User avatar
linuxbrad
 
Posts: 30
Joined: May 1st, '13, 04:36

Re: Configuring Shorewall Firewall to Allow OpenVPN Connecti

Postby martinw » Jan 29th, '19, 01:27

OK, your ca124.nordvpn.com.udp1194.ovpn looks like a suitable configuration file. The way I start openvpn is to copy the configuration file to e.g. /etc/openvpn/nordvpn.conf, then
Code: Select all
sudo systemctl start openvpn@nordvpn.service

(the @nordvpn causes the service start script to look for a .conf file in /etc/openvpn with the same base name)

If you try that, what then is the output from
Code: Select all
sudo ip addr
sudo ip route
martinw
 
Posts: 514
Joined: May 14th, '11, 10:59

[SOLVED] Re: Configuring Shorewall Firewall to Allow OpenVPN

Postby linuxbrad » Jan 29th, '19, 18:14

Hello,

I got it working! I was doing a bit of research on the Mageia forums and found the following topic: [SOLVED] How to switch from net_applet to NetworkManager, which led me to think that maybe I would have better luck with Network Manager rather than net_applet (the default network management GUI tool). I installed it from the Mageia Control Centre along with plasma-applet-nm so I would have access from my system tray:
sys_tray_circled.png
System Tray with Network Manager
sys_tray_circled.png (17.17 KiB) Viewed 530 times

However, the version of Network Manager on Mageia doesn't have the same interface as I found online and the Import OpenVPN Function didn't work properly from the GUI. I did some more research and found this article, VPN Setup and Auto Connect from Command-line and adapted the instructions to my purposes.

I knew that the command line application, nmcli, comes with the Network Manager package so I did the following from the directory that my .ovpn files are located in based on the above-mentioned article:

Code: Select all
sudo nmcli connection import type openvpn file ca189.nordvpn.com.udp1194.ovpn

Then, I went to /etc/NetworkManager/system-connections/ and I made the modifications to the ca189.nordvpn.com.udp1194 file I now found there as follows:

Code: Select all
#Change this from 1 to 0 so that it doesn't try to load the keyring
password-flags=0

#Add this under the [vpn] section
username=my_username

#Create a new header
[vpn-secrets]
password=my_password

Then, I ran the following command:
Code: Select all
sudo nmcli connection reload ca189.nordvpn.com.udp1194

Now, when I open the Network Manager GUI from my sys-tray icon, I can now see the VPN in my list (circled on the left) and then I added it to my connection (circled on the right):
net_mgr_main_screen_circled.png
Network Manager Screen
net_mgr_main_screen_circled.png (95.11 KiB) Viewed 530 times

Adding the VPN to my existing connection was a little confusing to me but now that I've done it it makes sense.

Now, if I run the command
Code: Select all
sudo nmcli connection show
I get the following:
Code: Select all
NAME                       UUID                                  TYPE             DEVICE
WSINET                     c23dd820-b851-46e1-9908-9a688d31c0fb  802-11-wireless  wlp6s0
ca189.nordvpn.com.udp1194  6c0fd111-4274-4575-80c3-18710767b01d  vpn              wlp6s0
tun0                       dbc8f3b4-1184-4a26-b248-a85675178674  tun              tun0   
Pixel XL Network           32546d68-69a1-4aef-a29e-35bd4f3c7e24  bluetooth        --     
System WSINET (wlp6s0)     c5552947-fb6e-291b-5065-c139725215e7  802-11-wireless  --     
System enp7s0              75faabc3-f62c-9770-bfe5-9996ddb77891  802-3-ethernet   --     


I hope this solution will help someone else. The only drawback is you have to go through all these steps to add another VPN connection. It would be nice if the function to import a .ovpn file into Network Manager via the GUI worked but I'm glad a found a work-around.

Thanks again to everyone who responded to my questions.

Brad
--
Brad Fonseca
XMPP: brad.fonseca@blah.im
XMPP (alt): brad.fonseca@xmpp.dk
User avatar
linuxbrad
 
Posts: 30
Joined: May 1st, '13, 04:36

Re: [SOLVED] Configuring Shorewall Firewall to Allow OpenVPN

Postby linuxbrad » Jan 29th, '19, 18:19

f you start the Mageia Control Center, then select Security, then "Set up your personal firewall" then click on the "Advanced" button, you will get to a requester that lets you enter ports and protocols that are to be allowed. You need to enter your ports for OpenVPN here. Offhand, I don't recall what they are, so you need to check on that. The syntax goes like this:

Code: Select all
9001:9030/tcp 153/udp


and so forth. Leave a space (not a comma) between groups. Portranges are startport:endport.


Yes! This worked and shorewall is no longer blocking my VPN connection.
--
Brad Fonseca
XMPP: brad.fonseca@blah.im
XMPP (alt): brad.fonseca@xmpp.dk
User avatar
linuxbrad
 
Posts: 30
Joined: May 1st, '13, 04:36

Re: [SOLVED] Configuring Shorewall Firewall to Allow OpenVPN

Postby linuxbrad » Jan 29th, '19, 18:31

As for your DNS, your default DNS are all being provided on your LAN. In fact your configuration looks peculiar, as if you have three DNS servers on your LAN. You might, but I doubt it. Typically, your local router is the only DNS server you will have, if you choose to use it. Once you have OpenVPN up and running you might not be able to connect to your LAN at all, depending on how your provider sets things up.


I was able to manually designate what DNS servers I wanted to use in Network Manager for my standard connection:
net_mgr_dns_screen_circled.png
Network Manager DNS Screen
net_mgr_dns_screen_circled.png (87.12 KiB) Viewed 527 times

However, the VPN connection automatically found the NordVPN DNS servers once it was connected. I get the following when I use nslookup:
Code: Select all
[bradfonseca@linux ~]$ nslookup google.com
Server:         103.86.96.100
Address:        103.86.96.100#53

Non-authoritative answer:
Name:   google.com
Address: 172.217.1.174

The DNS server indicated (103.86.96.100) is one of the NordVPN DNS servers.

Thanks again for everyone's help.

Brad
--
Brad Fonseca
XMPP: brad.fonseca@blah.im
XMPP (alt): brad.fonseca@xmpp.dk
User avatar
linuxbrad
 
Posts: 30
Joined: May 1st, '13, 04:36


Return to Networking

Who is online

Users browsing this forum: No registered users and 1 guest