<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">Chain INPUT (policy DROP 221 packets, 11897 bytes)</div><div class=""> pkts bytes target prot opt in out source destination</div><div class=""> 23 1656 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9292 state NEW</div><div class=""> 691K 146M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED</div><div class=""> 8072 429K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW</div><div class="">24441 1325K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW</div><div class="">29529 7540K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0</div><div class=""> 4647 190K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID</div><div class=""> 2495 129K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW</div><div class="">14416 605K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9987 state NEW</div><div class=""> 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:30033 state NEW</div><div class=""> 1 40 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30033 state NEW</div><div class=""> 282 17685 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22000 state NEW</div><div class="">23970 7190K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21027 state NEW</div><div class=""> 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:34197 state NEW</div><div class=""> 105 4580 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 state NEW</div><div class=""> 165 10456 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194 state NEW</div><div class=""> 21 898 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 state NEW</div><div class=""><br class=""></div><div class="">Chain FORWARD (policy DROP 1624 packets, 110K bytes)</div><div class=""> pkts bytes target prot opt in out source destination</div><div class=""><br class=""></div><div class="">Chain OUTPUT (policy ACCEPT 4881 packets, 1307K bytes)</div><div class=""> pkts bytes target prot opt in out source destination</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div class="">net.ipv4.ip_forward = 1</div><div class="">net.ipv4.ip_forward_use_pmtu = 0</div></div><div class=""><br class=""></div><div><br class=""><blockquote type="cite" class=""><div class="">On 21 Feb 2019, at 16:50, Miroslav Misek <<a href="mailto:miroslav.misek@netgarden.cz" class="">miroslav.misek@netgarden.cz</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class=""><p class="">Tohle natuje vsechny odchozi pakety. Tzn i ty primo z VPS. Tim
nechci rict, ze je to spatne :-)<br class="">
Posli jeste vypis:<br class="">
iptables -L -v -n<br class="">
sysctl -a | grep net.ipv4.ip_forward<br class="">
<br class="">
</p>
<div class="moz-cite-prefix">On 21. 02. 19 16:44, Lukáš Němec wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:3C09765A-03B7-42E7-92F0-0010580D6E33@gmail.com" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
Ahoj,
<div class=""><br class="">
</div>
<div class="">už jsem našel ten iptables, a zdá se že to nějaké
pakety natuje, ale klient stále nepingá nikam :/</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">Chain POSTROUTING (policy ACCEPT 0 packets, 0
bytes)</div>
<div class=""> pkts bytes target prot opt in out
source destination</div>
<div class="">13469 842K SNAT all -- * venet0
0.0.0.0/0 0.0.0.0/0 to:37.205.10.108</div>
<div class=""><br class="">
</div>
<div class="">Díky,</div>
<div class="">Lukáš</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 21 Feb 2019, at 16:41, Lukáš Němec <<a href="mailto:lu.nemec@gmail.com" class="" moz-do-not-send="true">lu.nemec@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; line-break: after-white-space;" class="">Ahoj,
<div class=""><br class="">
</div>
<div class="">díky za odpovědi, zkusil jsem co jste
psali, a stále nefunguje. Připojím se OK, ale ping
8.8.8.8 píše no route to host, nebo timeoutuje.</div>
<div class="">IPv4 forwarding jsem zapl, a přidal nat
dle wiki, ale tahle část se mi nějak nezdá, když se
snažím vylistovat pravidla v POSTROUTING, píše mi
iptables že takový chain nezná. To nechápu.</div>
<div class=""><br class="">
</div>
<div class="">root@nemec /etc/openvpn # ip addr show dev
venet0:0 scope global
</div>
<div class="">2: venet0:
<BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu
1500 qdisc noqueue state UNKNOWN</div>
<div class=""> link/void</div>
<div class=""> inet 37.205.10.108/32 brd
37.205.10.108 scope global venet0:0</div>
<div class=""> inet6 2a01:430:17:1::ffff:71/128 scope
global</div>
<div class=""> valid_lft forever preferred_lft
forever</div>
<div class="">root@nemec /etc/openvpn # iptables -t nat
-A POSTROUTING -o venet0 -j SNAT --to 37.205.10.108
</div>
<div class="">root@nemec /etc/openvpn # iptables -L
POSTROUTING
</div>
<div class="">iptables: No chain/target/match by that
name. </div>
<div class=""><br class="">
</div>
<div class="">Můj server config:</div>
<div class="">
<div class="">mode server</div>
<div class="">tls-server</div>
<div class="">port 1194</div>
<div class="">proto tcp-server</div>
<div class="">dev tap1</div>
<div class="">client-config-dir ccd</div>
<div class="">tun-mtu 1500</div>
<div class=""><br class="">
</div>
<div class="">ca /etc/openvpn/easy-rsa/keys/ca.crt</div>
<div class="">cert
/etc/openvpn/easy-rsa/keys/nemec.crt</div>
<div class="">key /etc/openvpn/easy-rsa/keys/nemec.key</div>
<div class="">dh /etc/openvpn/easy-rsa/keys/dh2048.pem</div>
<div class=""><br class="">
</div>
<div class="">topology subnet</div>
<div class="">server 172.16.123.0 255.255.255.0</div>
<div class="">push "redirect-gateway def1 bypass-dhcp"</div>
<div class="">push "dhcp-option DNS 8.8.8.8"</div>
<div class=""><br class="">
</div>
<div class="">ifconfig-pool-persist ipp.txt</div>
<div class=""><br class="">
</div>
<div class="">keepalive 10 120</div>
<div class="">max-clients 10</div>
<div class="">cipher AES-256-CBC</div>
<div class="">user nobody</div>
<div class="">group nogroup</div>
<div class="">persist-key</div>
<div class="">persist-tun</div>
<div class="">status /tmp/openvpn.status 1</div>
<div class="">log-append /var/log/openvpn.log</div>
<div class="">status-version 3</div>
<div class="">verb 4</div>
<div class="">mute 20</div>
<div class="">reneg-sec 180</div>
<div class=""><br class="">
</div>
<div class="">Díky za jakékoliv rady,</div>
<div class="">Lukáš</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 21 Feb 2019, at 14:57, Miroslav
Misek <<a href="mailto:miroslav.misek@netgarden.cz" class="" moz-do-not-send="true">miroslav.misek@netgarden.cz</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class=""><p class="">Pokud ma OpenVPN fungovat jako
gateway (tzn klient pak bude posilat vsechny
data do internetu pres VPN), <br class="">
tak je potreba jeste nastavit bud na
klientovi:<br class="">
redirect-gateway<br class="">
nebo na serveru:<br class="">
push "redirect-gateway"</p><p class="">A navic v iptables (firewalld)
nastavit masquerade (aby data pochazejici z
vpn pri preposilani do internetu mela source
ip toho VPSka.<br class="">
A jak uz bylo napsano v predeslem emailu je
potreba povolit ip forwarding (echo 1 >
/proc/sys/net/ipv4/ip_forward) a taky
forwarding ve firewallu (iptables,
firewalld).</p><p class="">Miroslav Misek</p>
<div class="moz-cite-prefix">On 21. 02. 19
14:16, Jiri Drozd wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:1205030177.7379.1550755002419.JavaMail.zimbra@sde.cz" class="">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" class="">
<div style="font-family: arial, helvetica,
sans-serif; font-size: 12pt;" class="">
<div class="">Ahoj,<br class="">
</div>
<div class=""><br data-mce-bogus="1" class="">
</div>
<div class="">uz nevim podle ceho sem to
nastavoval, tady je muj config ktery
funguje:<br data-mce-bogus="1" class="">
</div>
<div class=""><br data-mce-bogus="1" class="">
</div>
<div class="">port 1111<br class="">
proto udp<br class="">
dev tun<br class="">
ca /etc/openvpn/full/keys/ca.crt<br class="">
cert /etc/openvpn/full/keys/server.crt<br class="">
key /etc/openvpn/full/keys/server.key <br class="">
dh /etc/openvpn/full/keys/dh2048.pem<br class="">
topology subnet<br class="">
server 172.16.123.0 255.255.255.0<br class="">
ifconfig-pool-persist ipp-full.txt<br class="">
push "redirect-gateway def1 bypass-dhcp"<br class="">
push "dhcp-option DNS 8.8.8.8"<br class="">
keepalive 10 30<br class="">
tls-auth
/etc/openvpn/easy-rsa-full/keys/ta.key 0<br class="">
cipher AES-256-CBC <br class="">
comp-lzo<br class="">
max-clients 100<br class="">
user nobody<br class="">
group nogroup<br class="">
persist-key<br class="">
persist-tun<br class="">
status openvpn-full-status.log<br class="">
verb 3<br class="">
mute 20<br class="">
reneg-sec 180<br class="">
</div>
<div class=""><br data-mce-bogus="1" class="">
</div>
<div class="">treba mit jeste povoleny
forwarding <a href="https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux" moz-do-not-send="true" class="">https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux</a><br data-mce-bogus="1" class="">
</div>
<div class="">a pokud mas zaple iptables
tak zkontroluj, ze ti tam ten traffic
nic neblokuje (asi nejlepsi nachvilku
vypnout firewall uplne)<br data-mce-bogus="1" class="">
</div>
<div class=""><br data-mce-bogus="1" class="">
</div>
<div class="">JDrozd / Buger<br data-mce-bogus="1" class="">
</div>
<div class=""><br class="">
</div>
<hr id="zwchr" data-marker="__DIVIDER__" class="">
<div data-marker="__HEADERS__" class=""><b class="">From: </b>"Lukáš Němec" <a class="moz-txt-link-rfc2396E" href="mailto:lu.nemec@gmail.com" moz-do-not-send="true"><lu.nemec@gmail.com></a><br class="">
<b class="">To: </b>"<a href="http://vpsfree.cz/" class="" moz-do-not-send="true">vpsFree.cz</a>
Community list" <a class="moz-txt-link-rfc2396E" href="mailto:community-list@lists.vpsfree.cz" moz-do-not-send="true"><community-list@lists.vpsfree.cz></a><br class="">
<b class="">Sent: </b>Friday, February
15, 2019 5:29:57 PM<br class="">
<b class="">Subject: </b>[<a href="http://vpsfree.cz/" class="" moz-do-not-send="true">vpsFree.cz</a>:
community-list] OpenVPN config<br class="">
</div>
<div class=""><br class="">
</div>
<div data-marker="__QUOTED_TEXT__" class="">Ahoj,
<div class="">Snažím se rozjet openvpn
jako internet gateway na vpsce. Jel
jsem podle návodu na wiki vpsfree ale
zdá se zastaralý. Už jsem ve stavu kdy
se v pohodě připojím na vps vpn, ale
net nefunguje-asi bude špatně ip
adresa pro nat v návodu wiki? (<span style="font-size: 12pt; font-family:
Helvetica;" class=""><a href="https://kb.vpsfree.cz/navody/server/openvpn" target="_blank" moz-do-not-send="true" class="">https://kb.vpsfree.cz/navody/server/openvpn</a>)</span></div>
<div class=""><span style="font-size:
12pt; font-family: Helvetica;" class=""><br class="">
</span></div>
<div class=""><span style="font-size:
12pt; font-family: Helvetica;" class="">Našel jsem ještě maily z
2017 z tohoto listu ale nevím jestli
ta konfigurace bude platit.</span></div>
<div class=""><span style="font-size:
12pt; font-family: Helvetica;" class=""><br class="">
</span></div>
<div class=""><span style="font-size:
12pt; font-family: Helvetica;" class="">Poradíte? Btw configy mám
stejné jako v návodu-jel jsem krok
za krokem.</span></div>
<div class=""><span style="font-size:
12pt; font-family: Helvetica;" class=""><br class="">
</span></div>
<div class=""><span style="font-size:
12pt; font-family: Helvetica;" class="">Díky,</span></div>
<div class=""><span style="font-size:
12pt; font-family: Helvetica;" class="">Lukáš</span></div>
<br class="">
_______________________________________________<br class="">
Community-list mailing list<br class="">
<a class="moz-txt-link-abbreviated" href="mailto:Community-list@lists.vpsfree.cz" moz-do-not-send="true">Community-list@lists.vpsfree.cz</a><br class="">
<a class="moz-txt-link-freetext" href="http://lists.vpsfree.cz/listinfo/community-list" moz-do-not-send="true">http://lists.vpsfree.cz/listinfo/community-list</a><br class="">
</div>
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Community-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Community-list@lists.vpsfree.cz" moz-do-not-send="true">Community-list@lists.vpsfree.cz</a>
<a class="moz-txt-link-freetext" href="http://lists.vpsfree.cz/listinfo/community-list" moz-do-not-send="true">http://lists.vpsfree.cz/listinfo/community-list</a>
</pre>
</blockquote>
</div>
_______________________________________________<br class="">
Community-list mailing list<br class="">
<a href="mailto:Community-list@lists.vpsfree.cz" class="" moz-do-not-send="true">Community-list@lists.vpsfree.cz</a><br class="">
<a href="http://lists.vpsfree.cz/listinfo/community-list" class="" moz-do-not-send="true">http://lists.vpsfree.cz/listinfo/community-list</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Community-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Community-list@lists.vpsfree.cz">Community-list@lists.vpsfree.cz</a>
<a class="moz-txt-link-freetext" href="http://lists.vpsfree.cz/listinfo/community-list">http://lists.vpsfree.cz/listinfo/community-list</a>
</pre>
</blockquote>
</div>
_______________________________________________<br class="">Community-list mailing list<br class=""><a href="mailto:Community-list@lists.vpsfree.cz" class="">Community-list@lists.vpsfree.cz</a><br class="">http://lists.vpsfree.cz/listinfo/community-list<br class=""></div></blockquote></div><br class=""></body></html>