I couldn’t agree with you more but very limited time to work on the devices but lots of time of family members **** their box doesn’t work lol.
I’m trying to as much boxes as I can, this one has comments though, the other 3 vero’s worked but I didn’t to reboot with the watchdog yet.
Did you make a typo because they’re both 1198??
yes!
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1197 -m comment --comment openvpn -j ACCEPT
Haha human error happens!
my iptables
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -m comment --comment vpn -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m comment --comment icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment lan -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment ssh -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment ntp -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment dns -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment dns -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -m comment --comment openvpn -j ACCEPT
save the netstat?
sudo iptables -D OUTPUT -o eth0 -j DROP
sudo iptables -A OUTPUT -o eth0 -j DROP
If openvpn connects, then yes save. Then try rebooting.
Thanks Tom.
It does not on the commented connectiong, something has to be wrong there/ I think it’s the port but no idea how to change it.
Hi,
Whats the output of:
iptables -S
Now?
Thanks Tom.
Same as above on the second instance.
And my 4k (the main instance) keeps freezing for some reason. CPU and RAM load don’t seem to be high but SSH is hard to navigate even.
Wtf this is new
In SSH as admin
/etc/openvpn$ shutdown -r now
Failed to set wall message, ignoring: Connection timed out
Failed to reboot system via logind: Connection timed out
Failed to open /dev/initctl: Permission denied
Failed to talk to init daemon.
This started after the watchdog, I’ve never seen this before or the lack of response unless something was memleaking.
VPN also does not work on the 4k while in that state, if I wait in SSH and do a curl it just gets stuck for more then 20 minutes.
Hi,
If you ssh in as osmc, does it still error. The systemd timer I suggested setting up, wouldn’t cause this.
Please post it again, as it shouldn’t be.
Tom.
sudo iptables -D OUTPUT -o eth0 -j DROP
Yes the above is the SSH outcome
How the hell can I get out of this? it’s totally locked down (hard reboot but… that still triggerst the timer).
What exacrtly do you want to see? The iptables from the Pi? Because all Vero’s and 4ks are the same, they work fine (with the exception above on my main 4k that I added the timer to). But the iptables of the pi3 are still the same.
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -m comment --comment vpn -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m comment --comment icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment lan -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment ssh -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment ntp -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment dns -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment dns -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -m comment --comment openvpn -j ACCEPT
No internet on the Pi.
I can’t show my iptables on the vero 4k because it’s stuck in a loop now, and manual shutdown (wiith the remote) and forced shutdown (SSH see above error) don’t work anymore!
Hi,
If you think its the timer, you can stop and disable it with:
sudo systemctl start openvpn-watchdog.timer
sudo systemctl enable openvpn-watchdog.timer
sudo systemctl stop openvpn-watchdog.timer
sudo systemctl disable openvpn-watchdog.timer
On the pi, does it work if you issue:
sudo iptables -D OUTPUT -o eth0 -j DROP
If you get an error when issuing the command, please post it.
Thanks Tom.
Stuck on
sudo systemctl start openvpn-watchdog.timer
_
Ah it moved
Failed to start openvpn-watchdog.timer: Connection timed out
See system logs and ‘systemctl status openvpn-watchdog.timer’ for details.
Works fine, I think it might be one of the iptables rules, I don’t know how to remove them though (with the – comment and stuff).
Hi,
Actually its been a long day, sorry those commands should have been (I’ll edit the post):
sudo systemctl stop openvpn-watchdog.timer
sudo systemctl disable openvpn-watchdog.timer
But if its failing to start, can you please post the out of these commands:
cat /etc/systemd/system/openvpn-watchdog.timer
cat /etc/systemd/system/openvpn-watchdog.service
As advised above, commets don’t make any difference. But to save going round in circles, lets start iptables from scratch and you think there is an issue with the comments, try this:
sudo iptables -F
sudo iptables -A OUTPUT -o tun0 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -j DROP
Thanks Tom.
Happens to the best of us.
:/etc/openvpn$ sudo systemctl stop openvpn-watchdog.timer
Failed to stop openvpn-watchdog.timer: Unit openvpn-watchdog.timer not loaded.
So that’s not it…
This is on the pi now
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
netstat save or iptables save, I honestly don’t remember. And sorry for making you work 2 things at once.
Hi,
It would still be good to see the out of:
cat /etc/systemd/system/openvpn-watchdog.timer
cat /etc/systemd/system/openvpn-watchdog.service
At this point, I’m not sure what else to suggest for the vero4k other than back your settings via MyOSMC and reinstall:
Restore your settings, then setup openvpn again with the instructions I posted earlier. Once the vpn is working again, I would try setting up the iptables kill switch; then possibly the watchdog timer.
Is it connected to the VPN? Whats the output of:
curl https://ipinfo.io/ip
Thanks Tom.
cat /etc/systemd/system/openvpn-watchdog.timer
cat: /etc/systemd/system/openvpn-watchdog.timer: No such file or directory
cat /etc/systemd/system/openvpn-watchdog.service
[Unit]
Description=OpenVPN Watchdog service
ConditionPathExists=!/proc/sys/net/ipv4/conf/tun0
[Service]
ExecStart=/bin/systemctl restart openvpn@RO
[Install]
WantedBy=multi-user.target
Wow seriously mate? I never had any issues! The only thing that changed was what we did before.
But, someone was bitching that the media box restarted (auto switches channel on TV) so I think it’s alive again. I can’t force reboot right now because I’ll get murdered lmao but they’re watching a show on it right now so it at least responds again.
There also seems to be a vpn connection on both devices now, no idea if the killswitch works but the vpn seems to work.
Hi,
What change is that? Cos it isn’t the timer, as it hasn’t been created:
Once the issue is fixed thats prevents restarting, please re-read my post for creating the time as you have missed some steps:
Is the vpn now working on the PI?
Thanks Tom.
I have no idea, it might just have been a glitch. Who knows!
I read the post, but for some reason… I think i’m just an idiot when it comes to this, if it’s new for me I’m oblivious and make a lot of mistakes. So I have no idea which part to actually take from that and which not (i’m sorry I know you’ve had a long day).
Seems like it! I’m getting a different IP and iptables are
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
I just need to net save state? Or whatever the command was.
Hi,
sudo netfilter-persistent save
and when you get a chance, reboot the pi and make sure the vpn comes up.
I think the bits you are missing are creating the timer, starting and enabling; all you have created is the service. I think these should get it going:
sudo nano /etc/systemd/system/openvpn-watchdog.timer :
[Unit]
Description=OpenVPN Watchdog timer
[Timer]
OnCalendar=*:0/15
[Install]
WantedBy=timers.target
Then issue:
sudo systemctl start openvpn-watchdog.timer
sudo systemctl enable openvpn-watchdog.timer
Thanks Tom.