Sample Header Ad - 728x90

Ubuntu Openvpn no traffic to client

1 vote
0 answers
46 views
ubuntu openvpn port-forwarding port
I got a problem with an openvpn server on dedicated hosting vm - the problem is that the packets do not pass to the client after the connection is established (although during the establishment of that connection, they do reach client succesfully). Port forwarding is enabled, ufw is configured - and no matter what there are no packets to client Any advice what should I check? Versions 
Ubuntu 22.04.2

OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 27 2024
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Client logs 
2024-09-23 13:19:38.246711 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:63081
...
2024-09-23 13:19:43.685541 Initialization Sequence Completed
2024-09-23 13:19:43.685563 MANAGEMENT: >STATE:1727086783,CONNECTED,SUCCESS,10.8.0.6,5.180.55.57,1194,,
2024-09-23 13:19:43.685610 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_ACK_V1 kid=0 [ ]
2024-09-23 13:19:43.685684 UDP READ  from [AF_INET]5.180.55.57:1194: P_CONTROL_V1 kid=0 [ ] pid=2662 DATA len=280
2024-09-23 13:19:43.685709 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_ACK_V1 kid=0 [ ]
2024-09-23 13:19:43.685737 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.685756 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.685774 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.685835 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.685855 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.685874 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.685892 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.685920 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.685937 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.685952 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.685973 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.685989 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.686006 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.686025 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
2024-09-23 13:19:43.686042 UDP WRITE  to [AF_INET]5.180.55.57:1194: P_DATA_V2 kid=0 DATA len=87
That is it, no UDP_READ ever at all. And after timeout client start to reconnecting. Server logs 
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: MULTI: multi_create_instance called
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 Re-using SSL/TLS context
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=358 DATA len=40
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 TLS: Initial packet from [AF_INET]client_ip:57537, sid=277076f6 1cd8249e
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=358 DATA len=52
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_ACK_V1 kid=0 [ ]
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_CONTROL_V1 kid=0 [ ] pid=870 DATA len=317
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_CONTROL_V1 kid=0 [ ] pid=614 DATA len=1114
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_CONTROL_V1 kid=0 [ ] pid=870 DATA len=1102
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_CONTROL_V1 kid=0 [ ] pid=1126 DATA len=299
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_ACK_V1 kid=0 [ ]
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_ACK_V1 kid=0 [ ]
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_CONTROL_V1 kid=0 [ ] pid=1638 DATA len=1114
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_ACK_V1 kid=0 [ ]
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_CONTROL_V1 kid=0 [ ] pid=1894 DATA len=1102
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 VERIFY OK: depth=1, CN=Easy-RSA CA
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 VERIFY OK: depth=0, CN=vt_client
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_CONTROL_V1 kid=0 [ ] pid=1638 DATA len=210
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_CONTROL_V1 kid=0 [ ] pid=2150 DATA len=532
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 peer info: IV_VER=2.4.12
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 peer info: IV_PLAT=mac
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 peer info: IV_PROTO=2
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 peer info: IV_NCP=2
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 peer info: IV_LZ4=1
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 peer info: IV_LZ4v2=1
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 peer info: IV_LZO=1
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 peer info: IV_COMP_STUB=1
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 peer info: IV_COMP_STUBv2=1
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 peer info: IV_TCPNL=1
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5971_4.0.1__build_5971)"
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_CONTROL_V1 kid=0 [ ] pid=1894 DATA len=280
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_ACK_V1 kid=0 [ ]
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_ACK_V1 kid=0 [ ]
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: client_ip:57537 [vt_client] Peer Connection Initiated with [AF_INET]client_ip:57537
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 MULTI: Learn: 10.8.0.6 -> vt_client/client_ip:57537
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 MULTI: primary virtual IP for vt_client/client_ip:57537: 10.8.0.6
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 23 12:19:38 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 23 12:19:39 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_CONTROL_V1 kid=0 [ ] pid=2918 DATA len=75
Sep 23 12:19:39 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 PUSH: Received control message: 'PUSH_REQUEST'
Sep 23 12:19:39 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 SENT CONTROL [vt_client]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sep 23 12:19:39 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_ACK_V1 kid=0 [ ]
Sep 23 12:19:39 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_CONTROL_V1 kid=0 [ ] pid=2406 DATA len=280
Sep 23 12:19:42 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_CONTROL_V1 kid=0 [ ] pid=2662 DATA len=280
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_ACK_V1 kid=0 [ ]
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_ACK_V1 kid=0 [ ]
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 READ  from [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=87
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN WRITE 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN READ 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=83
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN READ 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=83
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN READ 
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 UDPv4 WRITE  to [AF_INET]client_ip:57537: P_DATA_V2 kid=0 DATA len=83
Sep 23 12:19:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 TUN READ 

...
Sep 23 12:23:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 [vt_client] Inactivity timeout (--ping-restart), restarting
Sep 23 12:23:43 vm3028493.stark-industries.solutions ovpn-udp: vt_client/client_ip:57537 SIGUSR1[soft,ping-restart] received, client-instance restarting
Server conf 
username@vm3028493:/etc/openvpn$ cat udp.conf 
port 1194
proto udp

dev tun

ca ca.crt
cert server.crt
key server.key
dh none

# crl-verify crl.pem

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

duplicate-cn
keepalive 10 120

tls-crypt ta.key
cipher AES-256-GCM
auth SHA256

user nobody
group nogroup

persist-key
persist-tun

verb 6

explicit-exit-notify 1


username@vm3028493:/etc/openvpn$ cat tcp.conf 
port 443
proto tcp

dev tun

ca ca.crt
cert server.crt
key server.key  
dh none

server 10.9.0.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

duplicate-cn
keepalive 10 120

tls-crypt ta.key
cipher AES-256-GCM
auth SHA256

user nobody
group nogroup

persist-key
persist-tun

verb 3
Client conf 
client
dev tun

remote host_white_ip 1194 udp
remote host_white_ip 443 tcp

resolv-retry infinite

nobind

persist-key
persist-tun

remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1

verb 6

...


...


...


...
pf is active (output is for demo only, there is same string in /etc/sysctl.conf) 
username@vm3028493:/etc/openvpn$ sudo sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
ufw 
username@vm3028493:/etc/openvpn$ sudo ufw status verbose 
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
1194/udp                   ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
2022/tcp                   ALLOW IN    Anywhere                  
1194/udp (v6)              ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)             
2022/tcp (v6)              ALLOW IN    Anywhere (v6)     


username@vm3028493:/etc/openvpn$ sudo cat /etc/ufw/before.rules 
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o ens3 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/8 -o ens3 -j MASQUERADE
COMMIT
# END OPENVPN RULES


# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
Here is what’s routing table looks like: 
sysop@vm3028493:~$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         5.180.55.1      0.0.0.0         UG        0 0          0 ens3
5.180.55.0      0.0.0.0         255.255.255.0   U         0 0          0 ens3
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun1
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun1
10.9.0.0        10.9.0.2        255.255.255.0   UG        0 0          0 tun0
10.9.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
Asked by garik f (21 rep)
Sep 23, 2024, 10:48 AM
Last activity: Sep 24, 2024, 06:11 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "ubuntu"
More questions tagged "openvpn"
More questions tagged "port-forwarding"
Footer Ad - 728x90