openvpn-install: Seems like angristan/openvpn-install cannot coexist with hwdsl2/setup-ipsec-vpn after a reboot

I installed hwdsl2/setup-ipsec-vpn and then angristan/openvpn-install both on the same VPS because I need to support L2TP and OpenVPN preferably on the same IP.

It worked fine until a reboot. After that, both L2TP/IPsec and OpenVPN are still connectable, but there’s no internet via OpenVPN as if the POSTROUTING configuration is missing.

Here’s what a traceroute via OpenVPN looks like now:

Traceroute has started…

traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 72 byte packets 1 10.8.0.1 (10.8.0.1) 104.991 ms 101.759 ms 98.067 ms 2 * * * 3 * * * (…)

The browser keeps saying Resolving host as if the DNS is misconfigured, but I checked that server.conf pushes the right DNS servers and the actual resolv.conf file contains them.

I was able to reproduce the issue on a new AWS EC2 VPS running Debian 9. I still have it so I can collect any information you may need.

Checked that cat /proc/sys/net/ipv4/ip_forward outputs 1.

Here’s the sudo iptables -t nat -L -n -v output:

Chain PREROUTING (policy ACCEPT 1470 packets, 95907 bytes) pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 147 packets, 7677 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 56 packets, 4103 bytes) pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 56 packets, 4103 bytes) pkts bytes target prot opt in out source destination
34 2318 MASQUERADE all – * eth0 192.168.42.0/24 0.0.0.0/0
0 0 MASQUERADE all – * eth0 192.168.43.0/24 0.0.0.0/0 policy match dir out pol none 0 0 MASQUERADE all – * eth0 10.8.0.0/24 0.0.0.0/0

P.S. the fact that it worked initially makes me believe this is at all possible.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 21 (8 by maintainers)

Most upvoted comments

@mehov There was an error in my IPTables rules in the previous comment. Try this version of /etc/iptables.rules. Replace with the following. Also, if the file /etc/iptables/rules.v4 exists, replace it with the same.

# Modified by hwdsl2 VPN script
# Generated by iptables-save v1.6.0 on Fri Sep 21 19:35:37 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Sep 21 19:35:37 2018
# Generated by iptables-save v1.6.0 on Fri Sep 21 19:35:37 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp --dport 52879 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Fri Sep 21 19:35:37 2018

Reboot your server and let us know if this works.

@Archerious You may try the same to see if it works on your server. Replace 52879 with the OpenVPN port you selected during install.

That fixed it for me too! I used port 1194. 😄.

+2
Archerious on Sep 24, 2018

You’re missing openvpn’s rules after the reboot. Please do systemctl status iptables-openvpn.service

@angristan thanks, but I don’t seem to have it

root@ip-172-31-47-227:~# systemctl status iptables-openvpn.service
Unit iptables-openvpn.service could not be found.

There was an error in my IPTables rules in the previous comment. Try this version of /etc/iptables.rules. Replace with the following.

Worked! Here’s the diff between my original iptables.rules and the new one by @hwdsl2.

Thank you guys, your assistance in fixing this is much appreciated

+2
mehov on Sep 24, 2018

@mehov There was an error in my IPTables rules in the previous comment. Try this version of /etc/iptables.rules. Replace with the following. Also, if the file /etc/iptables/rules.v4 exists, replace it with the same.

# Modified by hwdsl2 VPN script
# Generated by iptables-save v1.6.0 on Fri Sep 21 19:35:37 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Sep 21 19:35:37 2018
# Generated by iptables-save v1.6.0 on Fri Sep 21 19:35:37 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp --dport 52879 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Fri Sep 21 19:35:37 2018

Reboot your server and let us know if this works.

@Archerious You may try the same to see if it works on your server. Replace 52879 with the OpenVPN port you selected during install.

+2
hwdsl2 on Sep 22, 2018

@Archerious Can you post your IPTables rules? Run: sudo iptables -nvL; sudo iptables -nvL -t nat

Alternatively, post the contents of your /etc/iptables.rules.

+1
hwdsl2 on Sep 21, 2018
Read more comments on GitHub
← openvpn-install: OpenVPN Connect on Windows does not support tls-crypt
wireguard-install: Kernel module doesn't load on Fedora/CentOS →