Open VPN - FreePBX


(Ivan) #1

Hi!

I’ve been trying to remotely access the web interface of my FreePBX server and the connection is timing out.
I’m able to access other server that’s on the same network though.

Is that a FreePBX firewall issue? I’ve tried several firewall configuration but the problem persists.

Regards


#2

Have you tried disabling the firewall on freepbx altogether momentarily? That way you can rule the firewall out.


(Ivan) #3

Hi, thanks for the answer.

Yes, I tried disabling the firewall, but it didn’t work. I also included 192.168.2.0/24 as a local trusted traffic, but no luck so far.


#4

I have an Archer A6, which I’m guessing is similar. When a client connects to it via OpenVPN, it is assigned a tunnel address 10.8.0.x, which appears as the source address to the device on the remote LAN. So, you should include 10.8.0.0/24 as local trusted traffic (and in Local Networks for Asterisk if you want to do non-NAT VoIP over the link).

However, you turned the FreePBX firewall completely off and that didn’t help, so I’m guessing that you have a routing problem of some sort. Try running tcpdump on the PBX (which captures pre-firewall inbound and post-firewall outbound) and see whether your requests are coming in and any responses are going out.


(Ivan) #5

Hi.

The 10.8.0.x is also the default address used by Archer C7 for its OpenVPN. It didn’t work either, even putting it on the local trusted traffic.

Then, in order to keep the same 192.168.x.x pattern, I changed it to 192.168.2.x. That’s my current configuration.

Here is a little preview from the tcpdump:

Any ideas, please? :slight_smile: Thanks


#6

Well, with requests coming in but no responses (not even port unreachable, etc.), it sure looks like iptables are blocking them. Of course, that conflicts with your observation that turning FreePBX firewall completely off doesn’t help.

So, I’m guessing that the firewall service is somehow malfunctioning.

Though the VPN, can you access other services on the PBX, e.g. SSH?

You could look at the current iptables rules to see whether packets from 192.168.2.x should be accepted. (iptables -L -n -v)

Or, you could try
iptables -F
(flush all rules) to see if that lets you in.

Or, if you have Safe Mode enabled, try rebooting the PBX twice and see whether you have access:
https://wiki.freepbx.org/display/FPG/Safe+Mode


(Ivan) #7

It’s interesting. Even when the firewall is disabled, I can’t access the web interface via OpenVPN.

Some things to clarify:

  • I changed the settings on firewall to reject the packet, instead off it silently discarding it. Either way, it didn’t make difference on the tcpdump log;
  • Safe mode was already enabled. But just in case I rebooted the system twice within a short period of time;
  • My freepbx is not a virtual machine. It runs on a computer with two ethernet interfaces. Both are enabled. The IP addressess are 192.168.1.x (static eth0) and 10.2.0.x (DHCP and secondary)
  • I can’t also access FreePBX SSH (port 22) through VPN. Same behavior.

Here’s some output from the commands (note that when I flush, the system says “Firewall Rules corrupted!”. I’ve been taking a look at the file /var/log/asterisk/firewall.log but I haven’t found anything relevant.

iptables -L -n -v

[…]

Chain fpbxnets (1 references)
pkts bytes target prot opt in out source destination
44 2699 zone-internal all – * * 192.168.1.80 0.0.0.0/0
0 0 zone-internal all – * * 192.168.1.61 0.0.0.0/0
26 2853 zone-internal all – * * 192.168.1.50 0.0.0.0/0
0 0 zone-internal all – * * 192.168.1.81 0.0.0.0/0
0 0 zone-internal all – * * 192.168.1.62 0.0.0.0/0
0 0 zone-trusted all – * * 192.168.1.69 0.0.0.0/0
0 0 zone-trusted all – * * 10.2.0.12 0.0.0.0/0
100 7296 zone-trusted all – * * 192.168.1.2 0.0.0.0/0
0 0 zone-trusted all – * * 192.168.2.6 0.0.0.0/0
136 10608 zone-trusted all – * * 192.168.1.1 0.0.0.0/0
127 10867 zone-internal all – * * 192.168.1.0/24 0.0.0.0/0
0 0 zone-trusted all – * * 10.2.0.0/24 0.0.0.0/0
0 0 zone-trusted all – * * 192.168.2.0/24 0.0.0.0/0

[…]


fwconsole firewall list trusted

All entries in zone ‘trusted’:
192.168.1.0/24
192.168.1.69/32
10.2.0.0/24
10.2.0.12/32
192.168.1.2/32
192.168.2.0/24
192.168.2.6/32


Flush IPTables (Firewall rules corrupted)

iptables -F

Broadcast message from root@freepbx.sangoma.local (Sun Jan 24 20:11:50 2021):

Firewall Rules corrupted! Restarting in 5 seconds
More information available in /var/log/asterisk/firewall.log

Broadcast message from root@freepbx.sangoma.local (Sun Jan 24 20:12:04 2021):

Firewall service now starting.


#8

OK, so maybe a routing problem.

What is the output of
ip route

What does
ifconfig -a
show?

What is the LAN IP of the remote PC? If it’s 192.168.1.x or 192.168.2.x, there could be a conflict that is not properly resolved.

Is the 10.2.0.x interface a connection to an ISP-supplied SBC and used only for your SIP trunks? If not, please explain.

Sorry, I forgot that the FreePBX firewall watches iptables, which quickly undid your iptables -F. I suppose you could first kill the voipfirewalld processes, though a simpler test might be to see whether you can get in during the five seconds before iptables is restarted.


(Ivan) #9

It worked! The comand ip route showed that the default via was eth1 10.2.0.1.

#ip route
default via 10.2.0.1 dev eth1
10.2.0.0/24 dev eth1 proto kernel scope link src 10.2.0.x
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.x

It was supposed to be eth0 192.168.1.1. So the command:

#ip route change default via 192.168.1.1 dev eth0

fixed the issue.

Thank you very much for your time and kindness.


(system) closed #10

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.