View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Using the OpenVPN Linode with VPN Client Port Forwarding
Log in to Ask a Question
✓ Solved

Using the OpenVPN Linode with VPN Client Port Forwarding

I was able to get it working using ufw, but on every restart, the order of the rules changes and I have to ufw reload to get it working again.

The correct order is my rules have to be at the top. In both the FORWARD chain and the NAT: PREROUTING chain, my rules have 10.10.100.2 in them. Correct order is below.

FORWARD chain

Command: iptables -L -n -v

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   216 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.10.100.2          tcp dpt:44158
 2449  176K AS0_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  510 42269 AS0_IN_PRE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2000000/0x2000000
    0     0 AS0_OUT_S2C  all  --  *      as0t+   0.0.0.0/0            0.0.0.0/0
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

NAT > PREROUTING chain

Command: iptables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            45.56.x.x         tcp dpt:44158 to:10.10.100.2:44158
    0     0 AS0_NAT_PRE_REL_EST  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

On restart, this is the order it assumes. You can see my rules fall just below the AS0 references.

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    76 AS0_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    1    76 AS0_IN_PRE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2000000/0x2000000
    0     0 AS0_OUT_S2C  all  --  *      as0t+   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.10.100.2          tcp dpt:44158
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PREROUTING (policy ACCEPT 6 packets, 474 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 AS0_NAT_PRE_REL_EST  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            45.56.x.x         tcp dpt:44158 to:10.10.100.2:44158

My rules seem to appear after all these AS0_* references and I've tried using -I [chain] 1 to force first, but these AS0 rules are being added after or something.

Here are the 2 rules I have.

  1. FORWARD rule: iptables -I FORWARD -p tcp -d 10.10.100.2 --dport 44158 -j ACCEPT and I have this inside /etc/ufw/before.rules at the end before the COMMIT.
  2. NAT rule: iptables -t nat -I PREROUTING -p tcp -d 45.56.x.x --dport 44158 -j DNAT --to 10.10.100.2:44158 either inside /etc/ufw/before.rules inside the nat filter area, or inside the iptables-persistent rules4 file

UFW NAT Forward /etc/ufw/before.rules

*nat
:PREROUTING ACCEPT [0:0]
-I PREROUTING -p tcp -d 45.56.x.x --dport 44158 -j DNAT --to 10.10.100.2:44158
COMMIT

...

I've tried putting the rules in /etc/ufw/before.rules and using iptables-persistent but they keep getting rearranged. Any idea why this AS0 stuff is changing the order? When I do ufw reload, the order is corrected.

1 Reply

Linode Staff

✓ Best Answer

The OpenVPN service makes a number of changes to iptables in order to properly NAT/route your VPN traffic, which is the cause of all the AS0_* rules that are being populated in your iptables. The default settings will prepend OpenVPN's rules to your iptables, resulting in your table's current state upon reboot.

This article from OpenVPN's documentation shows how you can alter the way the rules are added to iptables:

Assuming a default install directory, the following should allow you to force OpenVPN to append its rules to the end of your iptables, allowing your UFW rules to take precedence. The change will take effect on the next reboot of the OpenVPN service:

sudo /usr/local/openvpn_as/scripts/sacli --key "iptables.append" --value "True" ConfigPut

Just in case, the default prepending rules can be restored via the following:

sudo /usr/local/openvpn_as/scripts/sacli --key "iptables.append" ConfigDel

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct