11384 questions

13563 answers

21250 comments

31888 members

0 votes
2,485 views 6 comments
by

We are running a Openvpn server on one rut950 and a client on another rut950, the first error we get is tls authentication handshaking error. We overcame that problem with clearing the iptables like this:

iptables -F iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT

But we feel like that is quite insecure. Then we found out if we do any changes to the iptables they will then reset after each reboot which is a problem because then we cant use our tunnel, reason is that it goes back to give ous the TLS handshaking error. 

So do anyone know what we need to add in our iptable to get it to let our openvpn traffic throu and then how to save them or if there is a way to edit the /etc/config/firewall to get our openvpn traffic throu?

1 Answer

+1 vote
by

Hi,

iptables rules are cleared on each firewall restart. You can add the rules to /etc/config/firewall by following these instructions.

But it would be simpler to add them to /etc/firewall.user or via WebUI, Network → Firewall → Custom Rules page. You can simply copy the same iptables commands and after each reboot they will be added all over again. (Both methods create rules in /etc/firewall.user, by the way.)

So that's some general info on firewall rules, but I wouldn't recommend doing anything at first as your issue probably lies within the OpenVPN configurations. Most of the time there's no need to edit or add any additional firewall rules, because they are automatically generated when you launch the VPN instance.

Can you share your server/client configs for analysis?

by

Here are the configs.

And we still get the TLS error with these settings. will look into the firewall situation.

by

Your configuration is correct. Looks like the firewall might be blocking the exchange after all. Can you try adding this rule on both sides:

iptables -A zone_wan_input -p udp -m udp --dport 1194 -j ACCEPT

Also, which firmware version are you using?

by

i tried to add that line on both but no success still the same error no other message in the system log either. we are using FW ver.: RUT9XX_R_00.06.02

by

Okay, that's a good firmware (which works for me). So my last guess is that there's something wrong with the certificates. Can you try testing with other certificates?

I've generated dummy certificates if you wish to try. You can download them from here. But delete them later once you're done testing.

by
We managed to redo our iptables so now it works for us and we can now connect the openvpn.
 

# Flushing all rules

iptables -F FORWARD

iptables -F INPUT

iptables -F OUTPUT

iptables -F

iptables -X

# Setting default filter policy

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

# Allow unlimited traffic on loopback

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

# Accept inbound TCP packets

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming OpenVPN

iptables -A INPUT -p udp --dport 1194 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT

#iptables -A INPUT -p tcp --dport 443 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT

# Accept outbound packets

iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Enable NAT for the VPN

iptables -t nat -A POSTROUTING -s x.x.x.x/24 -o eth0 -j MASQUERADE

# SSH

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT

# http inbound

iptables -A INPUT -p tcp --dport 443 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT

# http outbound

iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Allow DNS outbound

iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT

# allow vpn traffic

iptables -A FORWARD -i tun+ -s x.x.x.x/24 -d 0.0.0.0/0 -m conntrack --ctstate NEW -j ACCEPT

# allow related,established traffic tun_s_Studio_OV<->eth0

iptables -A FORWARD -i tun+ -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o tun+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# icmp

iptables -A INPUT -p icmp --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
by
I'm glad to hear that it's working!