# openvpn & iptables prob...

## lo-jay

can rarely build up a vpn-connection lately.

am behind a tomato router with upnp enabled, so i doubt that that's the problem.

my iptables look like this:

```

!/bin/bash

# vars

IPT=/sbin/iptables

# Flush old rules, old custom tables

echo " * flushing old rules"

$IPT --flush

$IPT --delete-chain

# Set default policies for all three default chains

echo " * setting default policies"

$IPT -P INPUT DROP

#$IPT -A FORWARD -o tun0 -j ACCEPT

$IPT -P FORWARD DROP

$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces

echo " * allowing loopback devices"

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN

$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established and related packets

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open the following ports

echo " * allowing ssh on port 22"

$IPT -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT

echo " * allowing dns on port 53"

$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing http on port 80"

$IPT -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"

$IPT -A INPUT -p udp --dport 443 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p udp --dport 443 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 1194"

$IPT -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 10010"

$IPT -A INPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 10020"

$IPT -A INPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT

#echo " * allowing tun"

#$IPT -A INPUT -i tun+ -j ACCEPT

#$IPT -A OUTPUT -o tun+ -j ACCEPT

#$IPT -A FORWARD -i tun+ -j ACCEPT

echo " * allowing ping responses"

$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it

$IPT -A INPUT -j LOG

$IPT -A INPUT -j DROP

#

# Save settings

#

echo " * saving settings"

/etc/init.d/iptables save

```

a typical eror would look like this:

```
openvpn openvpn.conf

Sat Jan  4 23:02:22 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Oct 21 2013

Enter Auth Username:xxx

Enter Auth Password:

Sat Jan  4 23:02:31 2014 UDPv4 link local: [undef]

Sat Jan  4 23:02:31 2014 UDPv4 link remote: [AF_INET]xxx:10020

Sat Jan  4 23:02:31 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Sat Jan  4 23:02:40 2014 [server] Peer Connection Initiated with [AF_INET]xxx:10020

Sat Jan  4 23:02:42 2014 TUN/TAP device tun0 opened

SIOCADDRT: Network is unreachable

Sat Jan  4 23:02:42 2014 ERROR: Linux route add command failed: external program exited with error status: 7

SIOCADDRT: Network is unreachable

Sat Jan  4 23:02:42 2014 ERROR: Linux route add command failed: external program exited with error status: 7

Sat Jan  4 23:02:42 2014 Initialization Sequence Completed

^CSat Jan  4 23:08:09 2014 event_wait : Interrupted system call (code=4)

SIOCDELRT: No such process

Sat Jan  4 23:08:09 2014 ERROR: Linux route delete command failed: external program exited with error status: 7

SIOCDELRT: No such process

Sat Jan  4 23:08:09 2014 ERROR: Linux route delete command failed: external program exited with error status: 7

Sat Jan  4 23:08:09 2014 SIGINT[hard,] received, process exiting

```

where should i look?

Cheers!

----------

## AngelKnight

We could use a look at your openvpn config to figure out what (if anything) you're doing to pin the local-side UDP socket to a specific port.

(By the way, https is typically a TCP protocol but your script opens it for udp/443, which might not be what you want.)

----------

## lo-jay

here you go:

```
float

client

dev tun

proto udp

nobind

#redirect-gateway def1

; CERT

ca /etc/openvpn/keys/ca.crt

ns-cert-type server

cipher BF-CBC

; HOST

remote-random

remote xxx 10010

remote xxx 10020

remote xxx 1194

resolv-retry infinite

; AUTH

auth-user-pass

persist-key

persist-tun

comp-lzo

verb 1

```

cheers!

----------

