I just set up my iptables killswitch on my Pi3 following the thread from @JJS78 where I had no trouble setting up these rules@Tom_Doylefollowing this gist for Pi’s but as soon as I try to do the same on my Vero it doesn’t work.
When I try adding iptable rules I keep getting errors.
Maybe one of target methods you used are not supported by the iptables modules on the Vero, for which of the commands that error is displayed?
Either need to rewrite the rules without that target or wait for the Vero to be updated to the 4.x Kernel.
Posted this in the wrong section its a Vero 4k just not the latest plus, the one before that.
All of these rules
give me the chain error above. .
If I try to clear mangle it gives me this error
iptables -t mangle -F
iptables v1.6.0: can’t initialize iptables table `mangle’: Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
I was testing clearing mangle because in a post a while back about iptables you mentioned clearing mangle in the chain, don’t remember what it was, but since it gave me an error it might have been useful to mention it, I don’t think I have real need of mangle.
The rules I need to work, or ones that do the same but do work on a Vero that do work on a OSMC Pi3 are
That’s odd because it does accept it in the Rpi3 build, both are updated to the latest build. Maybe Sam knows why it does work in one build but not in the other.
I did the same thing on both my Pi and Vero, added openresolv for dns leaks discussed in the topic above and here including the lines in my openvpn files for up and down, installed iptables-persistent and added an auto restart to /lib/systemd/system/openvpn@.service
after that I tried to do the iptables just like I did on my Pi but errors.
I could do without the comments if for some reason it won’t work but I have no idea how to adjust the iptables for that to still function as a killswitch.
@sam_nazarko How can it be up to date on my Pi3 running OSMC while it doesn’t run on my Vero4k OSMC then?
Is there a way to change that?
Or is there a different way I could make similar iptables without the comment? I just copy and paste what someone else wrote which seems to work fine on Pi’s.
@sam_nazarko if it is a kernel build option it can, but is there a way to work around it or enable it as it done on Pi builds like @dillthedog just showed?
sudo iptables -A OUTPUT -o tun0 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 1198 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 123 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -j DROP
So this should work? Could you check if I made any mistakes?
I also followed this as you suggested in a different topic and sudo apt-get install openresolv while adding this to my config
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
No idea how it solves DNS leaks but did I do that right?
I also added a restart function like you where talking about in a different topic sudo nano /lib/systemd/system/openvpn@.service
with this value under [service].
Restart=always
RestartSec=5
My VPN was already running before I started this but it kept dropping and leaking so I didn’t do everything in the tutorial since I already had it running but these are the things I edited, I just want it to start and keep running without me having to check every time.
I saved it on my Pi and did the curl check and 20mb.zip download check, the curl times out and the download doesn’t start but it does resolve the server ip, very odd.
If its not downloading and curl fails, it could be an issue with the iptables rules.
openresolv lines added to your vpn config look correct, check the contents of /etc/resolv.conf; when the vpn is running it should contain your vpn providers dns servers.
Any changes made to systemd files should be done within /etc/systemd/system rather than /lib/systemd/system to prevent updates overwriting any changes. Also I think the changes should be made to openvpn.service rather than openvpn@.service; as the first calls the latter. Also in more recent times I have found Restart=on-failure more reliable than Restart=always. So please remove the 2 entries from:
Add the following line: deb http://apt.osmc.tv stretch-devel main
Run the following commands to update: sudo apt-get update && sudo apt-get dist-upgrade && reboot
Your system should have have received the update.
Please see if the issue is resolved.
I also recommend you edit /etc/apt/sources.list again and remove the line that you added after updating. This will return you to the normal update channel.
Both Pi and Vero show the same 2 nameserver 209.222.18.etc so that looks like standard PIA. Is that what it should do?
I did the above, I only used openvpn@.service because you mentioned this in another post, and it seems to have worked, no errors or problems.
After a reboot everything looks the same on my Vero, /etc/systemd/system/openvpn.service looks like this:
[Unit]
Description=OpenVPN service
After=network.target
I added the iptables on my Vero (the ones on my Pi stay as the original with the comments), my iptables look like this.
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1198 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
I hope I did it right? I didn’t save them yet, how did you save them again, with netfilter?
SSH does not have to have remote access, only local LAN and DNS only has to resolve when the VPN is on, when it’s off it should do nothing.
Testing curl it timed out while it shouldn’t have. Checking sudo systemctl status openvpn I get
This was a few minutes after the reboot, before the changes it resolved without an issue.
Trying to start openvpn on my Vero I get this:
sudo systemctl start openvpn
Failed to start openvpn.service: Unit openvpn.service is not loaded properly: Invalid argument.
See system logs and 'systemctl status openvpn.service' for details.
ifconfig no longer shows a tun0, just a eth0 and lo.
I tried restarting the systemctl daemon again, afterwards I checked the status of openvpn-service and it shows this:
sudo systemctl status openvpn
* openvpn.service - OpenVPN service
Loaded: error (Reason: Invalid argument)
Active: inactive (dead)
Jun 05 00:35:43 osmc systemd[1]: openvpn.service: Service has Restart= setting other than no, whi
lines 1-5/5 (END)...skipping...
* openvpn.service - OpenVPN service
Loaded: error (Reason: Invalid argument)
Active: inactive (dead)
Jun 05 00:35:43 osmc systemd[1]: openvpn.service: Service has Restart= setting other than no, which isn't allowed for Type=on
~
Setting restart to always instead of on-failure gives me this error:
systemd[1]: openvpn.service: Service has Restart= setting other than no, which isn't allowed for Type=oneshot services. Refusing.
checking the 20mb test it still resolves the IP but it doesn’t download anything.
http://ipv4.download.thinkbroadband.com/20MB.zip
Resolving ipv4.download.thinkbroadband.com (ipv4.download.thinkbroadband.com)... 80.249.99.148
Connecting to ipv4.download.thinkbroadband.com (ipv4.download.thinkbroadband.com)|80.249.99.148|:80...
Sorry Apologies dilthedog, did remind me after my post; that oneshot systemd units do not support restart options. You were indeed correct that the restart needs to go in the openvpn@.service file. So:
The problem starts right after I remove the service
Second line gives me:
sudo cp /lib/systemd/systemd/openvpn@.service /etc/systemd/system/openvpn@.service
cp: cannot stat '/lib/systemd/systemd/openvpn@.service': Not a directory
Also add a sudo infront of the nano /etc/systemd/system/openvpn@.service for others trying to do the same
so far so good
sudo systemctl status openvpn
* openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2019-06-05 21:22:11 CEST; 9s ago
Process: 9411 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 9411 (code=exited, status=0/SUCCESS)
Jun 05 21:22:11 osmc systemd[1]: Starting OpenVPN service...
Jun 05 21:22:11 osmc systemd[1]: Started OpenVPN service.
ifconfig shows a tun0 again.
iptables look good I think?
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1198 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
Just need to save them but testing @Tom_Doyle 's stripped version first to see if it leaks.
After stopping the service curl times out:
curl https://ipinfo.io/ip
curl: (7) Failed to connect to ipinfo.io port 443: Connection timed out
and wget does resolve the domain into an IP, which I rather it did not and am not sure if it is supposed to, but it doesn’t download anything and eventually times out.
@Tom_Doyle Is this what was expected as a result? Could I block the resolv? Also how do I save the iptables so they won’t be removed on reboot.
@sam_nazarko Once I have it up and running and have a moment I will download the release and test the original iptables I was trying to use and report back.
