How to block internet connection when VPN fails?

[korilius]

Nice thread. I understand routing but never had the need to do it on Debian; good stuff.

[Danielorum]

Hello again!

Remember me?

Well, i finally figured out how i wrote the ip table rules into the persistent package. However, i experience that in- and outgoing internet traffic gets blocked when i start the persistent package, or reboot the server. i Do this:

I load the script as always:

./script.sh

i then do:

iptables-save > /etc/iptables/rules

and the rules are wrote into /etc/iptables/rules

The file looks like this:

Code: Select all

# Generated by iptables-save v1.4.8 on Thu Jan 23 16:31:13 2014
*filter
:INPUT DROP [62:3471]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [354:36362]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT 
-A INPUT -i tun0 -p tcp -m tcp --dport 11633 -j ACCEPT 
-A INPUT -i tun0 -p udp -m udp --dport 11633 -j ACCEPT 
-A OUTPUT -d 192.168.1.0/24 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -d 192.168.1.0/24 -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT 
-A OUTPUT -d 192.168.1.0/24 -o eth0 -p udp -m udp --dport 138 -j ACCEPT 
-A OUTPUT -d 192.168.1.0/24 -o eth0 -p udp -m udp --dport 137 -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -o eth0 -j LOG 
-A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable 
COMMIT
# Completed on Thu Jan 23 16:31:13 2014

if i reboot or do:

service iptables.persistent start

I get no connection to the outside. I can still access my server through LAN connnection.

when i do:

curl ifconfig.me

i get this:

curl: (6) Couldn't resolve host 'ifconfig.me'

If i clear out the rules and reboot, everything is working fine again. Also if i run the "script.sh" with the rules it works as it has always done.
The "rules" file have octal: 0644

What do you make if this?

Thanks a bunch once more!

[M51]

Do you mean you can't establish a vpn connection, or can't access anything after a vpn connection is made?

What's being blocked according to the log?

[Danielorum]

I mean that i cant access anything on the outside of my network, when the rules have been applied to the persistent-package, and started. This is either when the vpn service is running and if i have shut it down. i did this:

/etc/init.d/openvpn stop

and resetting the network card, but still i cant get internet access. It seems like the persistent-package somehow blocks access...

This command:

tail -F /var/log/syslog

gave me this output:

Code: Select all

Jan 24 12:30:50 my-vpn-service[1895]: RESOLVE: Cannot resolve host address: my-vpn-service.com: [HOST_NOT_FOUND] The specified host is unknown.
Jan 24 12:30:50 openmediavault kernel: [  120.347867] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=UDP SPT=59693 DPT=53 LEN=40
Jan 24 12:30:50 openmediavault kernel: [  120.347894] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=UDP SPT=51779 DPT=53 LEN=40
Jan 24 12:30:50 openmediavault kernel: [  120.347919] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=UDP SPT=36195 DPT=53 LEN=40
Jan 24 12:30:50 openmediavault kernel: [  120.347950] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=UDP SPT=33922 DPT=53 LEN=40
Jan 24 12:30:50 openmediavault kernel: [  120.347974] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=UDP SPT=51281 DPT=53 LEN=40
Jan 24 12:30:50 openmediavault kernel: [  120.347997] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=UDP SPT=50715 DPT=53 LEN=40
Jan 24 12:30:50 openmediavault kernel: [  120.348045] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20623 DF PROTO=UDP SPT=37967 DPT=53 LEN=40
Jan 24 12:30:55 my-vpn-service[1895]: RESOLVE: Cannot resolve host address: my-vpn-service.com: [HOST_NOT_FOUND] The specified host is unknown.
Jan 24 12:30:55 openmediavault kernel: [  125.348509] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=47752 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348566] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=34005 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348591] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=46351 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348615] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=48185 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348645] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=51412 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348673] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=50740 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348697] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=43808 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348720] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=59430 DPT=53 LEN=40
Jan 24 12:31:00 my-vpn-service[1895]: RESOLVE: Cannot resolve host address: my-vpn-service.com: [HOST_NOT_FOUND] The specified host is unknown.
Jan 24 12:31:00 openmediavault kernel: [  130.349109] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=58696 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349165] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=54109 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349190] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=38870 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349214] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=57717 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349245] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=56399 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349268] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=52345 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349292] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=51690 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349316] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=48422 DPT=53 LEN=40
Jan 24 12:31:05 my-vpn-service[1895]: RESOLVE: Cannot resolve host address: my-vpn-service.com: [HOST_NOT_FOUND] The specified host is unknown.
Jan 24 12:31:05 openmediavault kernel: [  135.349712] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=58964 DPT=53 LEN=40
Jan 24 12:31:05 openmediavault kernel: [  135.349771] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=44290 DPT=53 LEN=40
Jan 24 12:31:05 openmediavault kernel: [  135.349798] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=51494 DPT=53 LEN=40
Jan 24 12:31:05 openmediavault kernel: [  135.349823] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=60726 DPT=53 LEN=40
Jan 24 12:31:05 openmediavault kernel: [  135.349854] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=36489 DPT=53 LEN=40
Jan 24 12:31:05 openmediavault kernel: [  135.349878] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=55027 DPT=53 LEN=40
Jan 24 12:31:05 openmediavault kernel: [  135.349902] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=60233 DPT=53 LEN=40

So this goes on and on.

I hope this answers your question...else please let me know!

[M51]

The log indicates outbound DNS queries are being blocked. The rules we put together are specifically designed to do just that, to prevent DNS leaks when the vpn drops. The rules will block all non-vpn outbound access except what we specifically allowed.

If you really need to access the outside world from that machine while not connected to a vpn, then you need to run iptables -F to flush the rules. All access will be restored until you either reboot or re-run the rules script.

[Danielorum]

I see that i am a. Clown at describing these things. I might not have been precise enough in my description of my problem.

It works great with the script which adds the ip table rules while im connected to the vpn. I only want to access the internet from my server through a vpn. Now i want the ip table rules to Stick so that they are automatically applied when the server is rebooted. But when i apply the rules to the persistent-package program the internet connection is blocked. Is there a command where i can log and see what is preventing my server from reaching the internet?

[M51]

So if you just run the script, you can still access your vpn and everything is ok, but if you apply the rules via the iptables-persistent package, then you can no longer connect to the vpn at all?

[Danielorum]

Yes that is correct. Exactly what is the problem...

[M51]

I don't understand why the behavior would be different between running it manually and using iptables-persistent.

I'm wondering about the following line in your log:

Code: Select all

Jan 24 12:30:55 my-vpn-service[1895]: RESOLVE: Cannot resolve host address: my-vpn-service.com: [HOST_NOT_FOUND] The specified host is unknown.

Obviously "my-vpn-service" is trying to resolve a DNS host. But if you can't connect to the vpn, DNS queries will not work. Is it possible your vpn is trying to connect by host name instead of by ip address? How do you connect, e.g. by openvpn command line, network manager, other software?

[Danielorum]

I installed openvpn as such:

sudo apt-get install openvpn resolvconf
And i copied some files i recieved from my vpn provider into the openvpn folder. Certificates i think...

It is wierd, because it immediately says " Couldn't resolve host 'ifconfig.me'"
when i do:
curl ifconfig.me
And ofcourse persistent-package running with the rules.

In my UI for the server, i have 8.8.8.8 (googles dns server) as primary. And nothing as secondary. If i remove this DNS server entry from the UI OR enter the other dns server i find in resolv.conf, (probably the DNS for my VPN provider) in my UI as primary instead of the 8.8.8 one, i get he same error. But now, it takes like 10 seconds before it responds with "Couldn't resolve host 'ifconfig.me'".

I reboot my server every time i make a change.. just to be sure the settings have been applied properly. I really dont understand what is going on here. Don't you think this is a DNS issue?

I hope it makes sense..

[M51]

"curl ifconfig.me" is only going to work if you manage to connect to the vpn first.

We need to figure out why you can't connect to the vpn. What happenes when you try?

Typically, you will also get some *.ovpn files from your vpn provider. They will be text files which include a line which begins with the word 'remote' followed by an ip address and possibly a port number. This is where the script gets the ip addresses of your vpn servers to add to the ip tables rules.

[Danielorum]

yes i have found the hostname i'm connecting with. It's not an IP address. No port is specified in the remote line. But, some text tells me that if im behind a very strict firewall, i can use their tunnels on tcp port 443 and on udp 53.

When i do:
iptables -L -n
i get a whole bunch of IP addresses thats associated with my VPN. So somehow i get all the VPN's ip addresses...!

Now when i add the rules to the persistent package and start it, i loose internet connection. VPN says that its running and restarting it dosen't help. Only when i delete the rules, and restart the server again, can i get a connection to the outside. Perhaps the problem lies with the persistent package? Because the rules works fine when i just execute the script. Woulden't it just be easier to somehow just make my debian system run the "script.sh" first thing after it boots up? So we avoid using the persistent-package?

[M51]

yes i have found the hostname i'm connecting with. It's not an IP address.

This is the problem.
I highly doubt it relates to the iptables-persistent package. Somehow you are doing things differently when running the script manually. Perhaps the name has already been resolved and cached at that point.

Anyway, if you just want to run the script at boot, add a line to /etc/rc.local which runs the script (just above the exit line). Keep in mind that since rc.local runs last at boot and does not use dependency based ordering like a true init script, there will be a small window of time after the network starts but before the script has run where the rules are not in effect. Probably not a big deal.

[Danielorum]

Yes it did the trick.. i entered the command into:

/etc/rc.local

And it works now.. Thanks so much

[Danielorum]

Hello again.

Last time we spoke i couldent run the script with iptable rules, if i had them loaded into the persistent package and rebooted. Instead i tried running the script at startup with:

/etc/rc.local

but it only worked for a short couple of reboots. I also tried:

crontab -e

and made the script start at reboot "@reboot" but this also only lasted untill i rebotted a couple of times!!!!

Now im running the script on my raspberry pi instead, and i get the exact same problem:

tail -F /var/log/syslog
gives me this:

Code: Select all

May  2 06:11:55 raspberrypi ovpn-xxxxxx_xxxx[2269]: RESOLVE: Cannot resolve host address: my.vpnservice.net: [TRY_AGAIN] A temporary error occurred on an authoritative name server.
May  2 06:11:55 raspberrypi kernel: [  352.728416] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6524 DF PROTO=UDP SPT=43280 DPT=53 LEN=40
May  2 06:11:55 raspberrypi kernel: [  352.728841] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6525 DF PROTO=UDP SPT=36739 DPT=53 LEN=40
May  2 06:12:00 raspberrypi kernel: [  357.732380] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6526 DF PROTO=UDP SPT=42315 DPT=53 LEN=40
May  2 06:12:00 raspberrypi kernel: [  357.732811] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6527 DF PROTO=UDP SPT=34426 DPT=53 LEN=40
May  2 06:12:00 raspberrypi kernel: [  357.733165] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6528 DF PROTO=UDP SPT=50955 DPT=53 LEN=40
May  2 06:12:00 raspberrypi kernel: [  357.733574] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6529 DF PROTO=UDP SPT=57921 DPT=53 LEN=40
May  2 06:12:00 raspberrypi ovpn-xxxxx_xxxxx[2269]: RESOLVE: Cannot resolve host address: my.vpnservice.net: [TRY_AGAIN] A temporary error occurred on an authoritative name server.
May  2 06:12:00 raspberrypi kernel: [  357.736924] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6530 DF PROTO=UDP SPT=53600 DPT=53 LEN=40
May  2 06:12:00 raspberrypi kernel: [  357.737332] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6531 DF PROTO=UDP SPT=38607 DPT=53 LEN=40
May  2 06:12:00 raspberrypi kernel: [  357.737682] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6532 DF PROTO=UDP SPT=41120 DPT=53 LEN=40
May  2 06:12:00 raspberrypi kernel: [  357.738029] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6533 DF PROTO=UDP SPT=50803 DPT=53 LEN=40
May  2 06:12:05 raspberrypi ovpn-xxxxx_xxxxx[2269]: RESOLVE: Cannot resolve host address: my.vpnservice.net: [TRY_AGAIN] A temporary error occurred on an authoritative name server.
May  2 06:12:05 raspberrypi kernel: [  362.740626] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6534 DF PROTO=UDP SPT=40432 DPT=53 LEN=40
May  2 06:12:05 raspberrypi kernel: [  362.741058] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6535 DF PROTO=UDP SPT=43431 DPT=53 LEN=40
May  2 06:12:05 raspberrypi kernel: [  362.741414] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6536 DF PROTO=UDP SPT=59058 DPT=53 LEN=40
May  2 06:12:05 raspberrypi kernel: [  362.741762] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6537 DF PROTO=UDP SPT=35246 DPT=53 LEN=40
May  2 06:12:05 raspberrypi kernel: [  362.742171] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6538 DF PROTO=UDP SPT=57676 DPT=53 LEN=40
May  2 06:12:05 raspberrypi kernel: [  362.742524] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6539 DF PROTO=UDP SPT=37033 DPT=53 LEN=40
May  2 06:12:05 raspberrypi kernel: [  362.742869] IN= OUT=eth0 SRC=192.168.1.46 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6540 DF PROTO=UDP SPT=57042

Do you think it would solve the problem if i made rules, allowing all my vpn-providers IP addresses? and perhaps the hostnames?

I just really think there is an easier way of doing this, than loading the "script.sh" manually and cross my fingers that my systems dosent reboot.
I noticed that if i didnt specify a dns in "/etc/network/interfaces" i couldent reach the outside, when connected to the vpn and had the rules manually applied.
I added 8.8.8.8 as dns and that worked. But again, this was only if i loaded the script.sh manually.

Forgive me for bringing this old thread up, but i have been wanted to ask you about this again for some time now.

Again, thanks for your time!

[M51]

Ok, from your logs, what you have is an issue resolving the hostname of your vpn provider.

Once the script has placed the iptables rules in effect, you cannot resolve any hostnames. This is by design, because to allow resolution would automatically allow DNS leaks if your vpn drops.

You could place entries in your /etc/hosts file for any names you need. Note these will not be dynamic; if the ip changes, communication will break.

I'm not sure if placing a rule in iptables allowing outbound communication to your vpn provider's hostname will work. Iptables resolves the names to ip addresses at the time the rules are loaded, so if the machine is up a long time and the ip changes, the rule will be wrong. Additionally, since we are blocking DNS traffic, I'm unsure if the machine will ever be able to resolve the name when it starts processing the rules...you could always try it and see.

Alternatively, you could add lines at the start of the script to resolve the names and rely on the DNS cache holding them for some time (this is probably why your current setup works for some time: the values are cached and it stops working when the cache is cleared or times out). Even fancier, you could resolve them and write them into the /etc/hosts file, which would still have an issue if the machine is up a long time and the provider's ip changes, but would work otherwise. Just be careful not to clobber your hosts file or add new entries on each boot without removing the old ones. An easy way would be to add a dummy entry to the hosts file and have the script use sed to replace the ip with the one the script gets.

[Danielorum]

Right, that makes sense.

But what would you do to solve this problem if you were me? I must admit, this is a little bit over my head.

From what you wrote, i would prefer the last option, where i load the ipaddresses into the hosts file. But i would like some solution that would just work all the time. But i see alot of my vpn providers ipaddresses when i do:

Iptables -L -n



So to check if you are right, could I then do this in my hosts file?:

Code: Select all

123.123.123.123   Vpnhostname.com
321.321.321.321    vpnhostname.com

And so on and so on..?

If the dummy method is the best bet, could you give me an example on how it would look like or perhaps point me in the right direction with some links?

Here is an experimental thought.. What if i asked my vpn provider if i could connect directly to an ip? Wouldent this solve the problem? In my openvpn cfg from my provider im able to choose between a couple of different hostnames, perhaps i could input an ip addrees there and connect directly?

This was always in my cfg file, dont know if its relevant:

#Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

[M51]

You should be able to connect directly to an IP. That's what I do.

If you want to add an entry into the hosts 'dynamically', do this in your script before you start setting iptables rules:

HOST=vpnhostname.com
sed -i /$HOST/d /etc/hosts
IP=$(host $HOST | grep "$HOST has address" | cut -d' ' -f4)
if [ -z $IP ]
then
echo "Unable to resolve $HOST"
exit
fi
echo "$IP $HOST" >> /etc/hosts

[Danielorum]

I wasn't able to use the script.. It kept telling me that it couldent resolve hostname...i even tried with different hostnames....

BUT!.. and here comes the fun part:

I tried to input an ip address and a hostname into /etc/hosts

and that worked!! Tried to restart a couple of times, and connection is stable and ip table rules are loaded with persistent package.. so i guess this solution works for me!! Im so happy now.. thanks again..!!!

[M51]

The script probably didn't work because the iptables rules were already in effect. It will only work if the iptables rules are empty when the resolutions occurs.

Glad to hear you got it working.