I was finally able to work remotely again and spent some time on this. I am not familiar with tcpdump. The VPN runs on a Windows machine, so I played around with Whiteshark: I see the packages, but there is not really much I understand from it.
As a first step, I just wanted to check if there is any setting on the FreePBX system that limits the access.
With FreePBX firewall off, iptables should be completely open. You can confirm this at a root shell prompt: iptables -vL
What virtualization are you using (Hyper-V, virtualbox, etc.)? Are you using bridged networking (FreePBX has an IP address in the same subnet as the Windows host)? If not, why? What VPN are you running? Does the client get an IP address in the same subnet as the Windows host? If not, why?
SSH access should be easier to debug than the other options. Does it work from other hosts on the LAN (not through the VPN)?
If you need to capture traffic at the PBX, just run (at a root shell prompt) tcpdump -w foo.pcap
type ctrl-C when finished capturing, copy foo.pcap to your Windows host (or another Windows, Mac or Linux machine with a desktop) and open the .pcap file with Wireshark.
In the dashboard when I move the cursor on the firewall entry, I have an X and it says: “Firewall disabled”.
My Freepbx is a hardware machine, no virtualization. It can be reached within my network. All its services.
OpenVPN runs on my windows machine. OpenVPN gives out IP from a different network to the clients. I am trying to change that, but I have not been successful so far.
My main router knows the route to the OpenVPN IPs. I can ping the OpenVPN server IP from the PBX.
I can reach all other machines and services through the VPN. No service on the PBX can be reached.
(I know I said that differently before, that was incorrect. I can reach services through the router via port forwarding, but that is obviously not the same, and open ports a bigger risk. Don’t want to leave the admin interface exposed.)
Chain INPUT (policy ACCEPT 44805 packets, 24M bytes)
pkts bytes target prot opt in out source destination
47809 26M fail2ban-recidive all – any any anywhere anywhere
3 120 fail2ban-api tcp – any any anywhere anywhere multiport dports http,https
46612 25M fail2ban-zulu tcp – any any anywhere anywhere
3 120 fail2ban-BadBots tcp – any any anywhere anywhere multiport dports http,https
0 0 fail2ban-FTP tcp – any any anywhere anywhere multiport dports ftp
47809 26M fail2ban-apache-auth all – any any anywhere anywhere
475 48686 fail2ban-SSH tcp – any any anywhere anywhere multiport dports ssh
47809 26M fail2ban-PBX-GUI all – any any anywhere anywhere
47809 26M fail2ban-SIP all – any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 45415 packets, 28M bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-BadBots (1 references)
pkts bytes target prot opt in out source destination
3 120 RETURN all – any any anywhere anywhere
Chain fail2ban-FTP (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all – any any anywhere anywhere
Chain fail2ban-PBX-GUI (1 references)
pkts bytes target prot opt in out source destination
47809 26M RETURN all – any any anywhere anywhere
Chain fail2ban-SIP (1 references)
pkts bytes target prot opt in out source destination
47809 26M RETURN all – any any anywhere anywhere
Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
475 48686 RETURN all – any any anywhere anywhere
Chain fail2ban-apache-auth (1 references)
pkts bytes target prot opt in out source destination
47809 26M RETURN all – any any anywhere anywhere
Chain fail2ban-api (1 references)
pkts bytes target prot opt in out source destination
3 120 RETURN all – any any anywhere anywhere
Chain fail2ban-recidive (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all – any any 185.53.90.104 anywhere reject-with icmp-port-unreachable
47809 26M RETURN all – any any anywhere anywhere
Chain fail2ban-zulu (1 references)
pkts bytes target prot opt in out source destination
46612 25M RETURN all – any any anywhere anywhere
iptables shows FreePBX firewall running (though I don’t know why, given that the GUI shows it disabled). I am guessing that the subnet assigned by OpenVPN is not marked ‘trusted’ in FreePBX firewall so it’s not surprising that access is blocked.
In Connectivity -> Firewall -> Settings, does anything show enabled? You could try enabling and then disabling. Or, on the Networks tab, list your VPN subnet in Trusted.
You could also try issuing iptables -F
which should flush all iptables rules, though it’s possible that FreePBX firewall will aggressively put them in again.