search

webdigi / AWS-VPN-Server-Setup

Setup your own private, secure, free* VPN on the Amazon AWS Cloud in 10 minutes. CloudFormation
Other
759 stars 163 forks source link

Question Setting Up VPN w/ Fail2Ban IPTable Rules #1

Closed sparkyfen closed 9 years ago

sparkyfen commented 9 years ago

Hey there!

Enjoyed the Youtube video and the article on how to get this setup. Instead of opting for a brand new VM, I attempted to follow your script on an existing VPN. I'm having issues connecting and I believe it has something to do with iptables.

My current script I used to setup my rules is:

#!/bin/sh
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# FTP
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp --dport 989:990 -j ACCEPT

# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Reroute HTTP to 9000 and HTTPS to 9001
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 9000
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 9001

# HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 5984 -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -j ACCEPT

# FTP Passive Ports
iptables -A INPUT -p tcp --dport 13000:13100 -j ACCEPT

# Route VPN connections
iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Drop rest
iptables -A INPUT -j DROP

# Restart Fail2ban
service fail2ban restart

On this box, I've got a web server on 80/443, FTPS on 990, and now pptpd on 1723. My Amazon Policy rules are: Policy Rules

What could possibly be causing the connection issues? Do you see anything wrong with the policies or the iptables?

I've attempted to log the data from the server and I'm not getting any logs being created.

On the client I get PPTP connect errno = 60 Operation timed out

Thanks!

Edit: Found some logs in the syslog file

Mar 26 23:28:26 ip-172-31-22-92 xl2tpd[2085]: network_thread: select returned error 4 (Interrupted system call)
Mar 26 23:28:26 ip-172-31-22-92 xl2tpd[2085]: death_handler: Fatal signal 15 received
Mar 26 23:28:27 ip-172-31-22-92 xl2tpd[2549]: setsockopt recvref[30]: Protocol not available
Mar 26 23:28:27 ip-172-31-22-92 xl2tpd[2549]: This binary does not support kernel L2TP.
Mar 26 23:28:27 ip-172-31-22-92 xl2tpd[2550]: xl2tpd version xl2tpd-1.3.6 started on ip-172-31-22-92 PID:2550
Mar 26 23:28:27 ip-172-31-22-92 xl2tpd[2550]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Mar 26 23:28:27 ip-172-31-22-92 xl2tpd[2550]: Forked by Scott Balmos and David Stipp, (C) 2001
Mar 26 23:28:27 ip-172-31-22-92 xl2tpd[2550]: Inherited by Jeff McAdams, (C) 2002
Mar 26 23:28:27 ip-172-31-22-92 xl2tpd[2550]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Mar 26 23:28:27 ip-172-31-22-92 xl2tpd[2550]: Listening on IP address 0.0.0.0, port 1701
Mar 26 23:28:39 ip-172-31-22-92 pptpd[2571]: MGR: connections limit (100) reached, extra IP addresses ignored
Mar 26 23:28:39 ip-172-31-22-92 pptpd[2572]: MGR: Manager process started
Mar 26 23:28:39 ip-172-31-22-92 pptpd[2572]: MGR: Maximum of 100 connections available
Mar 26 23:28:51 ip-172-31-22-92 ipsec_setup: Stopping Openswan IPsec...
Mar 26 23:28:52 ip-172-31-22-92 kernel: [8565537.364416] NET: Unregistered protocol family 15
Mar 26 23:28:52 ip-172-31-22-92 ipsec_setup: ...Openswan IPsec stopped
Mar 26 23:28:52 ip-172-31-22-92 kernel: [8565537.391134] NET: Registered protocol family 15
Mar 26 23:28:52 ip-172-31-22-92 ipsec_setup: Starting Openswan IPsec U2.6.38/K3.13.0-36-generic...
Mar 26 23:28:52 ip-172-31-22-92 ipsec_setup: Using NETKEY(XFRM) stack
Mar 26 23:28:52 ip-172-31-22-92 kernel: [8565537.434369] Initializing XFRM netlink socket
Mar 26 23:28:52 ip-172-31-22-92 kernel: [8565537.447638] AVX2 instructions are not detected.
Mar 26 23:28:52 ip-172-31-22-92 kernel: [8565537.456706] AVX2 or AES-NI instructions are not detected.
Mar 26 23:28:52 ip-172-31-22-92 ipsec_setup: ...Openswan IPsec started
Mar 26 23:28:52 ip-172-31-22-92 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Mar 26 23:28:52 ip-172-31-22-92 pluto: adjusting ipsec.d to /etc/ipsec.d
Mar 26 23:28:52 ip-172-31-22-92 ipsec__plutorun: 002 added connection description "vpnpsk"
webdigi commented 9 years ago

It is hard to troubleshoot since you have not used the standard VPN setup provided.

Can you try and execute these commands on the existing VM. https://github.com/webdigi/AWS-VPN-Server-Setup/blob/master/src/templates/user_data/Webdigi-Base-VPN-UserData.sh.erb The shell scripts are exactly what is performed in the standard install and should work as expected.

sparkyfen commented 9 years ago

@webdigi Thanks, I'll try to use it to troubleshoot the issue more and will come back with questions if need be.