Sem internet através do OpenVPN

0

Estou tendo problemas com a configuração do OpenVPN. Eu tenho uma caixa Linode com um servidor OpenVPN instalado e eu consegui obter Tunnelblick para estabelecer uma conexão vpn do meu mac. Eu segui este guia para fazer a configuração ( link )

O problema é que eu perco o acesso à internet quando me conecto à VPN. Eu não estou muito familiarizado com o iptables, mas estou bastante certo de que é um problema de firewall na caixa de linode.

Eu descomentei as diretivas REJECT no iptables e a internet começou a funcionar, mas agora meu linode está desprotegido. Eu apreciaria alguma ajuda com minha configuração. Aqui está como o meu arquivo de configuração iptable parece agora.

# Generated by iptables-save v1.4.12 on Wed Sep 17 20:16:01 2014
*security
:INPUT ACCEPT [655071:117449311]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [531569:271562663]
COMMIT
# Completed on Wed Sep 17 20:16:01 2014
# Generated by iptables-save v1.4.12 on Wed Sep 17 20:16:01 2014
*raw
:PREROUTING ACCEPT [655387:117519098]
:OUTPUT ACCEPT [531569:271562663]
COMMIT
# Completed on Wed Sep 17 20:16:01 2014
# Generated by iptables-save v1.4.12 on Wed Sep 17 20:16:01 2014
*nat
:PREROUTING ACCEPT [1779:93936]
:INPUT ACCEPT [1778:93888]
:OUTPUT ACCEPT [10:616]
:POSTROUTING ACCEPT [10:616]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Sep 17 20:16:01 2014
# Generated by iptables-save v1.4.12 on Wed Sep 17 20:16:01 2014
*mangle
:PREROUTING ACCEPT [333602:56545923]
:INPUT ACCEPT [333602:56545923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [269675:131489507]
:POSTROUTING ACCEPT [269675:131489507]
COMMIT
# Completed on Wed Sep 17 20:16:01 2014
# Generated by iptables-save v1.4.12 on Wed Sep 17 20:16:01 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
# -A INPUT -d 127.0.0.0/8 -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8484 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 52698 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 943 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# -A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
# -A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT

Observe que as seguintes linhas são comentadas e não devem ser:

# -A INPUT -d 127.0.0.0/8 -i lo -j REJECT --reject-with icmp-port-unreachable
# -A INPUT -j REJECT --reject-with icmp-port-unreachable
# -A FORWARD -j REJECT --reject-with icmp-port-unreachable

EDITAR: Saída do sysctl net.ipv4.ip_forward

net.ipv4.ip_forward = 1

Saída do iptables-save:

# Generated by iptables-save v1.4.12 on Sat Sep 20 03:41:08 2014
*security
:INPUT ACCEPT [14181206:2321341249]
:FORWARD ACCEPT [454424:378929599]
:OUTPUT ACCEPT [11546594:6308759963]
COMMIT
# Completed on Sat Sep 20 03:41:08 2014
# Generated by iptables-save v1.4.12 on Sat Sep 20 03:41:08 2014
*raw
:PREROUTING ACCEPT [14635663:2700275174]
:OUTPUT ACCEPT [11546595:6308760175]
COMMIT
# Completed on Sat Sep 20 03:41:08 2014
# Generated by iptables-save v1.4.12 on Sat Sep 20 03:41:08 2014
*nat
:PREROUTING ACCEPT [1875725:100410074]
:INPUT ACCEPT [1866676:99465105]
:OUTPUT ACCEPT [20810:1333821]
:POSTROUTING ACCEPT [20816:1334245]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Sep 20 03:41:08 2014
# Generated by iptables-save v1.4.12 on Sat Sep 20 03:41:08 2014
*mangle
:PREROUTING ACCEPT [14635664:2700275226]
:INPUT ACCEPT [14181207:2321341301]
:FORWARD ACCEPT [454424:378929599]
:OUTPUT ACCEPT [11546600:6308761475]
:POSTROUTING ACCEPT [12001024:6687691074]
COMMIT
# Completed on Sat Sep 20 03:41:08 2014
# Generated by iptables-save v1.4.12 on Sat Sep 20 03:41:08 2014
*filter
:INPUT ACCEPT [5701:859812]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8484 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 52698 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 943 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
    
por disc0dancer 19.09.2014 / 14:02

1 resposta

0

Você tentou desativar o iptables? Embora as regras pareçam boas, você deve tentar desativar seu firewall.

Eu encontrei este script para instalar e configurar o OpenVPN em um Ubuntu VPS. Funciona.

    
por 13.10.2014 / 21:27