How to turn off Firewall?

General Discussion
1

Hi,

i installed Diet-Pi + PiVPN + PiHole and a Rasbian lite + PiHole + PiVPN.

It seems, that PiVPN does not automaticly open the needet port.
Here is some output from the installation:

::: Your system is up to date! Continuing with PiVPN installation...
:::    Checking for git... already installed!
:::    Checking for tar... already installed!
:::    Checking for wget... already installed!
:::    Checking for curl... already installed!
:::    Checking for grep... already installed!
:::    Checking for dnsutils... already installed!
:::    Checking for whiptail... already installed!
:::    Checking for net-tools... already installed!
:::    Checking for bsdmainutils... already installed!
:::    Checking for dhcpcd5... already installed!
:::    Checking for iptables-persistent... not installed!
:::    Package iptables-persistent successfully installed!
::: Static IP already configured.
::: Using User: pivpn
:::
::: Checking for existing base files...
:::    Checking /usr/local/src/pivpn is a repo...:::    Cloning https://github.com/pivpn/pivpn.git into /usr/local/src/pivpn... done!
::: Using VPN: WireGuard
::: Installing WireGuard from Debian package...
::: Adding Raspbian repository...
::: Updating package cache...
:::    Checking for raspberrypi-kernel-headers... not installed!
:::    Checking for wireguard... not installed!
:::    Checking for wireguard-tools... not installed!
:::    Checking for wireguard-dkms... not installed!
:::    Checking for qrencode... not installed!
:::    Package raspberrypi-kernel-headers successfully installed!
:::    Package wireguard successfully installed!
:::    Package wireguard-tools successfully installed!
:::    Package wireguard-dkms successfully installed!
:::    Package qrencode successfully installed!
  [i] Listening on all interfaces, permitting origins from one hop away (LAN)
::: Backing up the wireguard folder to /etc/wireguard_2020-08-25-224039.tar.gz
::: Server Keys have been generated.
::: Server config generated.
iptables/1.8.2 Failed to initialize nft: Protocol not supported
iptables/1.8.2 Failed to initialize nft: Protocol not supported
iptables/1.8.2 Failed to initialize nft: Protocol not supported
iptables/1.8.2 Failed to initialize nft: Protocol not supported
iptables/1.8.2 Failed to initialize nft: Protocol not supported
iptables/1.8.2 Failed to initialize nft: Protocol not supported
iptables/1.8.2 Failed to initialize nft: Protocol not supported
iptables/1.8.2 Failed to initialize nft: Protocol not supported
iptables/1.8.2 Failed to initialize nft: Protocol not supported
iptables/1.8.2 Failed to initialize nft: Protocol not supported
iptables/1.8.2 Failed to initialize nft: Protocol not supported
iptables-save/1.8.2 Failed to initialize nft: Protocol not supported
::: Install Complete...

iptables -L is empty.
This is not a problem with the router, The router was configured to exposed Host for ipv4 and ipv6 for the pi.

On both systems i was unable to open the firewall for port 22 and 51820.
What i tried:
disable firewall (systemctls stop netfilter.service)
Add iptables rules (Problems due to switch to nftables i guess)
Installed Webadmin and opened the firewall.
reinstalled everything a couple times
And a few other tries i lost track of.

Maybe this is a noobquestion, but i spent 7 hours trying to open a goddamn firewall and im sick of it. I would appreciate it, if somebody could help me out with this :confused:

So the question: What is the correct way to open the firewall on Diet-Pi/Rasbian (lite) for specific ports so i can reach the pi from the internet?

greetings

bramuna

2

Hi,

many thanks for your massage.

Personally I would not recommend to configure your Pi as exposed host. This will bring quite some security issues to your device as it is fully reachable from internet now. Especially as you try to open SSH.

A better solution would be to keep your system behind your Internet router and just open the VPN port 51820 UPD only. Using a VPN is much saver than having a system open to the web. Therefore I would do following:

  1. setup a fresh DietPi installation on your Pi
  2. Install PiHole
  3. Install native WireGuard (not the PiVPN version)
  4. configure your internet router to forward port 51820 UPD only

Exactly this setup with PiHole and WireGuard is working on my RPi4B without issues.

3

Hello Joulinar,


Thank you very much for your answer!

I am not planning on using it set as an exposed host, i just configured it this way in my router to rule out that a connection can’t be established due to the router (just for troubleshooting until at least something works).

I am trying it with a fresh install of DietPi and concurrently of Rasbian lite with just PiHole installed. (Without wireguard until any port, for testing i use 22/SSH, is reachable from outside the network)

So i did not configure anything with the firewall for now, but exposed host on my router. All is stock on the rpi.


Dyndns is working (jus a little curl update request to my DynDNS-Provider) and updating correctly, internaly i can SSH into the pi with no problem.

But i still can’t get an connection to my pi via SSH using the Hostname from my DynDNS nor using the IPv6 adress.

There are some signs indicating, that a Firewall is blocking the connection.

Any ideas what could be wrong?

BTW: I got an DS-lite Connection, so i expect IPv4 not to work, but IPv6 should.

greetings

bramuna

4

Usually on a DS-Lite connection, you should be able to connect both ways via IPv4 and IPv6. Looks like your issue is not connected to DietPi, because you have issues as well in Raspbian Lite

Anyway, I would recommend following.

  1. install a fresh DietPi
  2. just install lighttpd web server
  3. don’t install other software

Once done, you should be able to reach your web server on http, if your Pi is still exposed. DietPi did not contain any firewall by default.

However I would highly recommend to setup port forwarding on your router and not to use exposed host feature. This is much closer to the final setup