[SOLVED]Autostarting OpenVPN client - no rules for tun iface

[SOLVED]Autostarting OpenVPN client - no rules for tun iface

Postby sojkovec » Feb 5th, '21, 18:02

Hi,

after googling and trying for hours I might just give up. While the openvpn client connects to server, tunnel interface has no firewall rules, so it ditches anything that comes to it. Easily fixed by running four iptables commands (well, allowing routing both directions). I tried making those rules permanent, I have failed. I tried adding them to root crontab, but the tun interface does not exist when those are executed (same for init.d, etc). Any ideas? It's not critical, merely inconvenient. Thank you for any suggestions.
Last edited by sojkovec on Feb 10th, '21, 23:16, edited 1 time in total.
sojkovec
 
Posts: 13
Joined: Feb 3rd, '21, 21:58

Re: Autostarting OpenVPN client - no rules for tun iface

Postby jiml8 » Feb 5th, '21, 21:43

You could use iptables-save and iptables-restore, but I personally prefer to have a sytemd service that handles my basic custom rules, and I have an assortment of scripts in my ~/bin directory to handle particular configurations that I might be setting.

Setting up a systemd service is easy enough. My entire firewall is custom, and here is how I invoke it. In the directory /etc/systemd/system, I have the file jlfirewall.service, which contains the following:
Code: Select all
#
#     My firewall.  Do what is needed and nothing more
#
[Unit]
Description=Jiml firewall
Wants=network-online.target
After=network-online.target
Conflicts=iptables.service firewalld.service

[Service]
Type=oneshot
RemainAfterExit=yes
StandardOutput=syslog
ExecStart=/usr/local/bin/firewall.sh

[Install]
WantedBy=basic.target


then, in /usr/local/bin I have firewall.sh which sets up my entire firewall. You could put your commands in there, and they would be applied at the right time in the boot.

After doing this, you would run (as root) systemctl enable jlfirewall.service (use your own service name, of course).
jiml8
 
Posts: 1253
Joined: Jul 7th, '13, 18:09

Re: Autostarting OpenVPN client - no rules for tun iface

Postby jiml8 » Feb 5th, '21, 21:45

I should also note that you might not want the "Conflicts" line. As I say, I write my own firewall completely and I don't want these other services to interfere. If you are just adding to an existing firewall, then you don't want Conflicts.
jiml8
 
Posts: 1253
Joined: Jul 7th, '13, 18:09

Re: [SOLVED]Autostarting OpenVPN client - no rules for tun i

Postby sojkovec » Feb 10th, '21, 23:29

Thanks. I executed the script through systemd and it was the time indeed, about 300 msecs according to log (successful execution/end ok of service I created was literally about 20 rows above creating tun0; right in the middle openvpn init log, funny indeed :)). Sleep for a 30 seconds did the trick. In fact I am not that familiar with netfilter anyway, so I am glad not to messing things up. Sorry for the bothering you guys, I am still learning. Sjk. Marked as solved.
sojkovec
 
Posts: 13
Joined: Feb 3rd, '21, 21:58

Re: [SOLVED]Autostarting OpenVPN client - no rules for tun i

Postby gpunk » Mar 2nd, '21, 18:42

I have done it a cleaner way, at my opinion,

Having the same issue, the FW stop every packet going to the vpn server ...

I used drak to deactivate the FW, and then reactivate it, so it sees the new interface and takes it into consideration.
gpunk
 
Posts: 2
Joined: Mar 2nd, '21, 18:39


Return to Networking

Who is online

Users browsing this forum: No registered users and 1 guest

cron