bicklp
Posts: 10
Joined: Sat Sep 12, 2015 7:58 am

UFW Issue on Jessie with OpenVPN

Tue Mar 08, 2016 7:06 pm

I have a raspberry pi2 running wheezy with the following

OpenVPN server, OpenVPN client to PIA and UFW
I can connect locally over wifi and remotley using ddns and port forwarding, all works great. The idea behind it is that i have an openvpn client that connects to PIA over tun1 and acts as a kill switch. If openvpn stops, then all outbound traffic stops. If i connect remotley to my server then all my traffic is all routed through tun1 to PIA but i can also still access all my LAN clients as well.

I am using a pre-up in the network/interfaces file to add the following to iptables
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.15
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o tun1 -j MASQUERADE

my UFW rules are
sudo ufw allow OpenSSH
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun1
sudo ufw allow out to 192.168.1.0/24
sudo ufw allow in from 192.168.1.0/24
sudo ufw allow in from 10.8.0.0/24
sudo ufw allow out from 10.8.0.0/24
sudo ufw allow out 1194/udp
sudo ufw allow 1195/udp
sudo ufw enable

Now my problem
I have a new Raspberry pi3 and its running Jessie not Wheezy
I have setup exaclty the same way, OpenVPN, PIA and UFW, same rules and pre-ups etc.
I can connect while on the LAN and i get my PIA address and routing etc, but if i try to connect remotely i get a waiting for server message. But, If i disable UFW and reboot then i can connect to my OpenVPN server, i get the PIA address and routing work great, but then i have no kill switch as its UFW that does all that. So my problem is with UFW or iptables setup. The only difference is it is running Jessie

i have used the same pre-up rules, just a different range

iptables -t nat -A POSTROUTING -s 10.7.0.0/24 -o wlan0 -j SNAT --to-source 192.168.1.10
iptables -t nat -A POSTROUTING -s 10.7.0.0/24 -o tun1 -j MASQUERADE

sudo ufw allow OpenSSH
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun1
sudo ufw allow out to 192.168.1.0/24
sudo ufw allow in from 192.168.1.0/24
sudo ufw allow in from 10.7.0.0/24
sudo ufw allow out from 10.7.0.0/24
sudo ufw allow out 1194/udp
sudo ufw allow 1196/udp
sudo ufw enable

If anyone has any ideas or need to see logs whatever let me know.
My OpenVPN setup is fine as i can connect fine if UFW is off so its not an OpenVPN issue...its a routing / firewall problem

Return to “Troubleshooting”