Sysadmin Pro OpenVPN does not open port 1194 when Firewall is disabled

volkswagner · April 3, 2020, 2:11pm

I have Distro - FreePBX 14.0.13.26

Purchased SysAdmin Pro for easy setup of OpenVPN.
PBX is behind firewall/NAT so FreePBX firewall is set to disabled.

It looks like fail2ban & iptables are still running though. Setting up OpenVPN via sysadmin pro
still does not allow traffic via port 1194.

What is the proper way to set up OpenVPN using sysadmin pro when firewall is set to disable?

# nc -z -v -u localhost 1194
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to ::1:1194.
Ncat: Connection refused.

# netstat -an | grep 1194
udp        0      0 0.0.0.0:1194            0.0.0.0:*                          
# iptables -L | grep 1194
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-recidive  all  --  anywhere             anywhere            
fail2ban-BadBots  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-FTP  tcp  --  anywhere             anywhere             multiport dports ftp
fail2ban-apache-auth  all  --  anywhere             anywhere            
fail2ban-SSH  tcp  --  anywhere             anywhere             multiport dports ssh
fail2ban-SIP  all  --  anywhere             anywhere            
fail2ban-SIP  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-BadBots (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-FTP (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-SIP (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-SSH (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-apache-auth (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

volkswagner · April 3, 2020, 4:11pm

I can’t tell if OpenVPN service is running.

I saw this thread: https://issues.freepbx.org/browse/FREEPBX-14093
but it appears it doesn’t apply or OpenVPN is not a services.

# lsof -i |grep openvpn
openvpn   16213     root    6u  IPv4 1417499007      0t0  UDP *:openvpn 
# chkconfig --list openvpn

Note: This output shows SysV services only and does not include native
      systemd services. SysV configuration data might be overridden by native
      systemd configuration.

      If you want to list systemd services use 'systemctl list-unit-files'.
      To see services enabled on particular target use
      'systemctl list-dependencies [target]'.

error reading information on service openvpn: No such file or directory
# chkconfig openvpn on

volkswagner · April 3, 2020, 4:24pm

Now I’m regretting purchasing the pro module.
I have already wasted more time getting the “easy” way to
work vs manually setting up OpenVPN as I’ve done in the past.

How do I request a refund?

dicko · April 3, 2020, 4:25pm

From a sh

systemctl status openvpn

volkswagner · April 3, 2020, 4:26pm

# systemctl status openvpn

Unit openvpn.service could not be found.

dicko · April 3, 2020, 4:27pm

volkswagner · April 3, 2020, 4:31pm

@dicko

I don’t understand your reply.

Are you telling me that OpenVPN isn’t installed?

Does sysAdmin Pro expect to have Openvpn manually installed?

# openvpn --version

OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019

library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06

Originally developed by James Yonan

Copyright (C) 2002-2018 OpenVPN Inc &lt;[email protected]&gt;

Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

# yum install openvpn

Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
Package openvpn-2.4.7-1.el7.x86_64 already installed and latest version
Nothing to do

dicko · April 3, 2020, 5:44pm

Only saying that neither sys-v nor systemd seem to think you have installed openvpn.

The script I linked DOES install it successfully, ( I have no experience with sysadminPro, I should have left this to those that do )

volkswagner · April 3, 2020, 5:47pm

I should’ve skipped SysAdmin pro as well.

I have now spent more time trying to get this to work compared
to manually setting up OpenVPN outside of FreePBX GUI.

lgaetz · April 3, 2020, 6:06pm

The System Admin VPN server has literally nothing to do with iptables or fail2ban. If you are running on the FreePBX Distro, you have both PBX modules and system rpms fully up to date, you need do nothing more than browse to VPN Server to enable it. Sometimes a reboot is necessary after enabling. If service is enabled you run ifconfig and a new tun interface is present:

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1

If you don’t have the tunX interface, then open a support ticket.

volkswagner · April 3, 2020, 6:45pm

Well I didn’t reboot so I’m not sure what that would’ve changed.

ipv4_forwarding was not enabled by turning on VPN server in SysAdmin Pro.
I had to manually do that.

Using SysAdmin Pro also must create it’s own start script somewhere, since OpenVPN is not
listed as a service. This make troubleshooting difficult, especially if I’m unaware how the
vpn binary is executed/started.

Now that I’ve spent a couple hours troubleshooting, I’m more aware of what SysAdmin Pro does and doesn’t do.

How/Where is SysAdmin Pro enabling ip4_forwarding?

Stewart1 · April 3, 2020, 7:05pm

If you’re only using the VPN for the PBX (calling, provisioning, UCP, etc), you shouldn’t need ipv4_forwarding. You’d set that if you want the VPN client to access other LAN devices or the PBX site’s internet connection.

Stewart1 · April 3, 2020, 7:08pm

I don’t have SysAdmin Pro, but upon installing the Distro, OpenVPN was there along with a config directory structure and considerable systemd stuff. I did not look at it in detail, but believe that if you have at least one server configured, systemd would start it automatically.

system · May 4, 2020, 7:08pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.