Pivpn 'looses' masquarading firewall rule after reboot

General Discussion
1

I have pivpn installed and it works great, but I noticed that after a reboot of the server, pivpn still ‘works’: I can connect to it, but I am not able to use this connection to go outside my own network.

When I run pivpn -d it tells me:

=============================================
::::		Self check		 ::::
:: [OK] IP forwarding is enabled
:: [OK] Ufw is enabled
:: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] 
Firewall reloaded

when I fix the Iptables masquerade rule, the it works again.

but, when i reboot my server then I have to run pivpn -d again as the masquerading rule is again not loaded.

So after some research I found that the culprit (at least for me) is in the iptables service

When I do a systemctl status iptables I see that the service is loaded but inactive, so I decided to disable the service.

Issue is now gone and pivpn works correct after reboot of the server.

Not sure what will break as i disabled the iptables service (which was inactive anyway), but this at least solves the issue for me.

hope it helps someone :slight_smile:

2

probably it would have been enough to save iptables after they have been corrected.

3

iptables-save
is the correct command right?
How to save iptables firewall rules permanently on Linux - nixCraft (cyberciti.biz)

I needed to look it up

4

yes, this is the way to make iptable rules permanent.

1 Like
5

Hi,
iptables is normally a ‘feature’ I stay clear off as it is not the first time I have burned my fingers on that service :slight_smile:
That is also why I installed UFW as that will function as a sort of front-end to iptables

I also have fail2ban running and that uses iptables to temporarily (!) block ip adresses, so my ‘fear’ is that when saving the iptables to make them permanent i will also be saving the fail2ban rules.

Although now that I disabled the iptables service I am not sure if the firewall / fail2ban is working correct. So need to investigate that

6

I think ufw is just a wrapper for iptables

Also I think rules are presistent in /etc/ufw, been poking around and trying to figure out if there is a ufs save command…it appears there are files that can be manually edited for persistance

/etc/ufw/before*.rules or after*.rules

found this here

also found some more reading materials

7

Hi @WarHawk ,

thanks for sharing and good read!

So based on that I was able to not only fix this issue, but also to stop worrying about whether or not my security was still okay :slight_smile:

UFW is indeed a front-end to iptables and as such there is not need for the iptables-persistent (the service responsible for re-adding the rules after a boot as when booting the iptables are cleared)

pivpn -d will not only check the required firewall rules, but will also add the missing ones. The missing MASQUERADE one is added by pivpn to /etc/ufw/before.rules

*nat
:POSTROUTING ACCEPT [0:0]
 -I POSTROUTING -s 10.128.51.0/24 -o eth0 -j MASQUERADE -m comment --comment openvpn-nat-rule
COMMIT

so on reboot these are correctly added. Issue here was that the the iptables-persistent would remove them again and use its own (saved) set.
So the following needed to be done in order to make this ‘survive’ a reboot:

systemctl stop iptables.service
systemctl disable iptable.service

And note that although I am stopping iptables, it is actually the netfilter-persistent service that this iptables service refers to.

working like a charm now, including surviving reboots :slight_smile:

8

Awesome!!!

Glad you got it working correctly!!!

9

and thank you for thinking along here :slight_smile: