Re: [Astlinux-devel] Firewall logging / VPN

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Yup, I found the code example you provided to loop on the contents of
$INT_IF so all is well now with my custom rules.

Thanks
David

On Tue, Nov 3, 2015 at 10:26 PM, David Kerr <da...@ke...> wrote:

> Okay, embarrassing.  I had allow OpenVPN Client to tunnel, I did not have
> allow OpenVPN Server to tunnel.  So I had the wrong one.  That has fixed
> OpenVPN.  I'm not going to chase the ipsec certificate problem, too much
> effort.  I tried PPTP only because I couldn't get either of the others to
> work.  However it does appear that the only VPN currently working with
> astlinux is OpenVPN.
>
> Thanks for the tip to restart firewall from the command line.  I traced
> the warning to a custom rule I added... it uses $INT_IF and when OpenVPN is
> enabled this is "br1 tun0" it fails on tun0.
>
> /usr/sbin/iptables -t nat -A PREROUTING -m mac --mac-source
> 70:56:81:xx:yy:zz -m time --timestart 20:00 --timestop 03:30 -i br1 tun0 -p
> tcp --dport 80 -j REDIRECT --to-ports 8888
> ERROR (2): Bad argument `tun0'
>
> I seem to remember some discussion on this when I first enquired about
> that particular rule, you pointed out that it would fail if more than one
> interface was defined to INT_IF.  I think you had a work-around for that, I
> need to search back in the list history...
>
> Thanks
> David.
>
> On Tue, Nov 3, 2015 at 5:11 PM, Lonnie Abelbeck <li...@lo...
> > wrote:
>
>> Hi David,
>>
>> For OpenVPN, do you have (or similar) checked...
>>
>> Network -> Firewall Configuration -> Firewall Options: _x_ Allow OpenVPN
>> Server tunnel to the [ 1st ] LAN Interface(s)
>>
>> If not, that is your problem. Done.
>>
>> >From the CLI, the command "arno-iptables-firewall restart" will show how
>> things are being built.
>>
>> As far as IPSec, clearly there is a certificate issue, could well be a OS
>> X issue with trusting the cert.
>>
>> Don't even think about PPTP :-)
>>
>> Focus on OpenVPN.
>>
>> Lonnie
>>
>>
>> On Nov 3, 2015, at 1:47 PM, David Kerr <Da...@Ke...> wrote:
>>
>> > How can I enable more detail on firewall logging... at the time the
>> iptables rules are built.
>> >
>> > I'm having real trouble getting VPN working again.  I don't know what I
>> did, but I have not used VPN in a long time.
>> >
>> > If I enable OpenVPN I get a message that one firewall rule failed to
>> apply.  The client (Tunnelblick) connects okay, but I can only ping the
>> gateway (e.g. 192.168.xx.1) but if I ping anything inside my network I get
>> no response... packet dropped message, suggesting firewall config not
>> right...
>> > AIF:Dropped FORWARD packet: IN=tun0 OUT=br1 MAC= SRC=10.8.0.2
>> DST=192.168.xx.6 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=5266 PROTO=ICMP TYPE=8
>> CODE=0 ID=3177 SEQ=0
>> >
>> > Meanwhile trying ipsec, I get a message from my client side (Apple
>> built-in VPN) that it failed to verify certificate...
>> > 11/3/15 2:35:13.292 PM racoon[27040]: Error evaluating certificate.
>> > 11/3/15 2:35:13.292 PM racoon[27040]: Error evaluating certificate.
>> > 11/3/15 2:35:13.294 PM racoon[27040]: ---------------Returned error
>> strings: ---------------.
>> > 11/3/15 2:35:13.294 PM racoon[27040]: ---------------Returned error
>> strings: ---------------.
>> > 11/3/15 2:35:13.294 PM racoon[27040]:
>> -----------------------------------------------------.
>> > 11/3/15 2:35:13.294 PM racoon[27040]:
>> -----------------------------------------------------.
>> > 11/3/15 2:35:13.294 PM racoon[27040]: the peer's certificate is not
>> verified.
>> > 11/3/15 2:35:13.294 PM racoon[27040]: the peer's certificate is not
>> verified.
>> > I've googled, but not found anything that helps (I have moved the
>> certificated into system keychain and set "always trust".
>> >
>> > And with PPTP I get a message that the remote end terminated the
>> connection...
>> > 11/3/15 2:35:54.854 PM pppd[27056]: PPTP connection established.
>> > 11/3/15 2:35:54.919 PM pppd[27056]: PPTP error when reading socket :
>> Connection reset by peer
>> > 11/3/15 2:35:54.919 PM pppd[27056]: PPTP error when reading header :
>> read -1, expected 12 bytes
>> > 11/3/15 2:35:54.919 PM pppd[27056]: PPTP hangup
>> > 11/3/15 2:35:54.920 PM pppd[27056]: PPTP disconnecting...
>> > 11/3/15 2:35:54.920 PM pppd[27056]: PPTP disconnected
>> > Nov  3 14:35:54 pbx daemon.info
>> >  pptpd[30592]: CTRL: Starting call (launching pppd, opening GRE)
>> > Nov  3 14:35:54 pbx daemon.debug pptpd[30592]: CTRL: pty_fd = 7
>> > Nov  3 14:35:54 pbx daemon.debug pptpd[30592]: CTRL: tty_fd = 8
>> > Nov  3 14:35:54 pbx daemon.debug pptpd[30592]: CTRL: I wrote 32 bytes
>> to the client.
>> > Nov  3 14:35:54 pbx daemon.debug pptpd[30592]: CTRL: Sent packet to
>> client
>> > Nov  3 14:35:54 pbx daemon.debug pptpd[30593]: CTRL (PPPD Launcher):
>> program binary = /usr/sbin/pppd
>> > Nov  3 14:35:54 pbx daemon.debug pptpd[30593]: CTRL (PPPD Launcher):
>> local address = 192.168.xx.240
>> > Nov  3 14:35:54 pbx daemon.debug pptpd[30593]: CTRL (PPPD Launcher):
>> remote address = 192.168.xx.232
>> >
>> > Nov  3 14:35:54 pbx daemon.err pptpd[30592]: GRE:
>> read(fd=7,buffer=8058640,len=8196) from PTY failed: status = -1 error =
>> Input/output error, usually caused by unexpected termination of pppd, check
>> option syntax and pppd logs
>> > Nov  3 14:35:54 pbx daemon.err pptpd[30592]: CTRL: PTY read or GRE
>> write failed (pty,gre)=(7,8)
>> > Nov  3 14:35:54 pbx daemon.debug pptpd[30592]: CTRL: Reaping child
>> PPP[30593]
>> > Nov  3 14:35:54 pbx
>> > daemon.info
>> >  pptpd[30592]: CTRL: Client 157.130.31.226 control connection finished
>> > Nov  3 14:35:54 pbx daemon.debug pptpd[30592]: CTRL: Exiting now
>> >
>> >
>> > So, right now I'm not able to connect by OVPN, IPSEC or PPTP.
>> >
>> > Help !
>> >
>> > Thanks
>> > David
>> >
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > _______________________________________________
>> > Astlinux-devel mailing list
>> > Ast...@li...
>> > https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>> >
>> > Donations to support AstLinux are graciously accepted via PayPal to
>> pa...@kr....
>>
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Astlinux-devel mailing list
>> Ast...@li...
>> https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> pa...@kr....
>>
>
>