not working, vpnfailsafe error

Question

not working, vpnfailsafe error

gemina-vii opened this issue 5 years ago · comments

Hello, new fresh install on archlinux with openvpn. tunnel connects fine. Installed vpnfailsafe and get this:

Feb 23 15:44:09 val openvpn[550]: /etc/openvpn/vpnfailsafe.sh:132: `iptables -A "VPNFAILSAFE_$*" -p "${!proto%-client}" -"$sd" "${remotes[i-1]}" --"$sd"port "${!port}" "${suf[@]}"' returned 2
Feb 23 15:44:09 val openvpn[545]: WARNING: Failed running command (--up/--down): external program exited with error status: 2
Feb 23 15:44:09 val openvpn[545]: Exiting due to fatal error
Feb 23 15:44:09 val systemd[1]: openvpn-client@client.service: Main process exited, code=exited, status=1/FAILURE
Feb 23 15:44:09 val systemd[1]: openvpn-client@client.service: Failed with result 'exit-code'.

Any idea what I can try?
Thanks!

gemina-vii · Answer 1 · Mon Mar 16 2020 04:10:28 GMT+0800 (China Standard Time)

In my case, this is running on a dedicated vm router that redirects all traffic through the vpn. Instead of using vpnfailsafe I found it easier add a simple iptables rule in /etc/iptables/iptables.rules to drop all traffic that is not going through the vpn:

VPN Router Kill Switch

-A FORWARD -s 10.1.1.0/24 -i ens18 -o ens18 -j DROP`

Modify -s for your internal network and correct the interfaces to reflect your machine.

Again, this works for me as the vm is acting as a router and just forwarding packets.

For posterity, my complete /etc/iptables/iptables.rules is:

*nat

:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

Route Everything Through OpenVPN

-A POSTROUTING -j MASQUERADE

COMMIT

*filter

:INPUT ACCEPT [24:1752]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15:1556]

VPN Router Kill Switch

-A FORWARD -s 10.1.1.0/24 -i ens18 -o ens18 -j DROP

Route Everything Through OpenVPN

-A FORWARD -s 10.1.1.0/24 -i ens18 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

COMMIT

Cheers!

Wojciech Knapik · Answer 2 · Wed Mar 25 2020 05:42:40 GMT+0800 (China Standard Time)

Hi @gemina-vii. If you're still interested in fixing the issue, please add set -x in the second line of vpnfailsafe.sh and share the output produced when connecting. If you'd rather not paste it here, you can send it via email (wmknapik at gmail), my PGP key signature is in my profile description.