rubinstu
Posts: 4
Joined: Wed Aug 28, 2013 7:07 pm

iptables start before OpenVPN tunel is up?

Fri Jan 05, 2018 1:10 am

I have (mostly) successfully configured my Raspi Pi 3 (Jessie) as a wireless router / VPN Client, closely following these instructions:
https://makezine.com/projects/browse-an ... or-router/

When I manually setup the routing with the "iptables", it works fine. But after a reboot, things don't work. What I believe is happening is that the routing is being setup before OpenVPN has created the tunnel.

Per the instructions, I've setup automatic iptables at boot (or at least when the networks come up) with iptables-sav and iptables-restore. I've tried this from the /etc/network/interfaces file and tried making a script in /etc/network/if-up.d. Neither work.

But THIS HACK does work: I made a script in /etc/network/if-up.d:

Code: Select all

#!/bin/sh
sleep 10
iptables -F
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
exit 0
So, basically, I take a long pause (presumably while the tunnel is established) and THEN clear out the iptables, then make the new rules for the router.

So, something is up here... It seems like I should be able to make the router rules even if the tunnel (tun0) or some other network is not up yet. Or, there should be some way to make the rules only AFTER the tunnel is ready. (That sort of implies a security risk though...)

Any ideas? Thanks!

sparkie777
Posts: 121
Joined: Tue Nov 27, 2012 4:37 am

Re: iptables start before OpenVPN tunel is up?

Fri Jan 05, 2018 5:46 am

rubinstu wrote:
Fri Jan 05, 2018 1:10 am
Or, there should be some way to make the rules only AFTER the tunnel is ready. (That sort of implies a security risk though...)
you can setup your rules anytime even when the referred interfaces do not yet exist.

It appears that something in your configuration already sets up some iptables in a wrong way. And you correct this afterwards with your own rules.

you should dump the current state right *before* you apply your rules (and after VPN is initialized):

Code: Select all

netstat -r; ip rule ls; iptables -t filter -vL;iptables -t nat -vL;iptables -t mangle -vL

Return to “Networking and servers”