# Requesting help with Ramnode OpenVZ OpenVPN Blocked ports



## Mixxer (Jan 2, 2015)

I wanted to get a vpn for protection so I bought an OpenVZ VPS on ramnode.com for a decent price.

I went ahead and setup a simple vpn to test for use on my webserver / gameserver and it browses the web and speed tests just fine.

I used this guide here

http://yaui.me/how-to-set-up-openvpn-in-30-seconds-or-less/

Now my only issue is routing inbound requests to the server to the vpn container. I believe this takes some fenagaling with the IPtables and I tried out the short version of the local guru's post wlanboy to no avail.

The issue im having is with understanding the iptable strings there. Every guide has their subnet as 10.0.0.8/24 or something like that and I tried that and tried changing them to what my openvpn server has actually setup and it wont work.

Is there some simple cookie cutter way to set this up so I can get it working? Any help will be much appreciated!

oh and HAPPY NEW YEAR!


----------



## wlanboy (Jan 2, 2015)

So how do your iptabele rules look like?


----------



## Mixxer (Jan 2, 2015)

Update:

So I tried again but this time actually making an iptables script. But all I did was copy and paste this and edit the info then I did an sh /etc/init.d/iptables start

device="venet0" #// OpenVZ
yourexternalid="1.1.1.1" #// Change this value!
yourvpnsubnet="10.10.10.0/24" #// Change this value!
yourvpnport="1149" #//Change this value!

# allow OPENVPN and enable ip forwarding
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

iptables -A FORWARD -o $device -i tun0 -j ACCEPT
iptables -A FORWARD -o tun0 -i $device -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $device -p udp --dport $yourvpnport -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s $yourvpnsubnet -j SNAT --to $yourexternalid

And it didnt work. I also tried by just manually entering the scripts one at a time correctly edited ofcourse and it didnt work.

I really hope someone knows a simple stupid method for this with OpenVZ because I really don't want to upgrade to a KVM just to get this working.


----------



## Mixxer (Jan 2, 2015)

Here is the actual version (ofc 1.1.1.1 is changed to the real ip in the real one..)


device="venet0" #// OpenVZ
yourexternalid="1.1.1.1" #// Change this value!
yourvpnsubnet="172.27.210.0/24" #// Change this value!
yourvpnport="1194" #//Change this value!

    # allow OPENVPN and enable ip forwarding
    iptables -A INPUT -i tun0 -j ACCEPT
    iptables -A FORWARD -i tun0 -j ACCEPT

    iptables -A FORWARD -o $device -i tun0 -j ACCEPT
    iptables -A FORWARD -o tun0 -i $device -m state --state RELATED,ESTABLISHED$
    iptables -A INPUT -i $device -p udp --dport $yourvpnport -m state --state N$
    iptables -t nat -A POSTROUTING -s $yourvpnsubnet -j SNAT --to $yourexternal$


----------



## wlanboy (Jan 2, 2015)

First check if IP forwarding is enabled:


cat /proc/sys/net/ipv4/ip_forward


The script you run is just for Internet access over openvpn.


To forward ports from the openvpn server to the openvpn client you need something like that:


iptables -A FORWARD -d 1.1.1.1 -i $device -p tcp -m tcp --dport 3389 -j ACCEPT


iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination ip-of-openvpn-client


iptables -t nat -A POSTROUTING -o $device -j MASQUERADE


----------



## Mixxer (Jan 2, 2015)

Thankfully i setup a static IP for just this reason. These strings got me closer but no cigar. I am able to see the rules in the iptables -L now which made me relieved. But its not working 100%. Now when I try to reach it at that port it doesnt say it is closed and refuses the connection. It actually spins there and attempts to get thru but cant. So we are almost in there!

I read one thing about MASQARADE on ramnodes faqs and it stated
The MASQUERADE module is not supported by OpenVZ. Instead, please use SNAT.

So after getting errors with MASQUERADE I switched to SNAT and it then told me it req a --to-source

So I tried to use the external IP, then the vpn client ip and it did not work. Stuck here

Now question here tho. I currently use a free VPN like frootvpn. It uses openvpn files and a user/login. Now whenever I use that free VPN there is NEVER any issues with ports. I dont have to set anything, and Im pretty sure they have all ports accessible to the VPN container setup somehow. Couldnt I simply do that here? I dont mind setting up ports tho if there isnt a way...


----------



## wlanboy (Jan 2, 2015)

The SNAT line would be:

iptables -t nat -A POSTROUTING -s $yourvpnsubnet -j SNAT --to $yourexternalid

There is an iptables howto available:


----------



## Mixxer (Jan 2, 2015)

That did not work  same issue as before. Keeps saying server is behind a router.

Just to clarify yourexternalid is the outside internet ip of the vpn correct?


----------



## wlanboy (Jan 2, 2015)

Mixxer said:


> Just to clarify yourexternalid is the outside internet ip of the vpn correct?


Yes - one of the parameters defined above.

What game server do you try to hide?

What udp/tcp ports does the game server use?

Did you try the webserver (easier) first?

Did you run "sysctl -w net.ipv4.ip_forward=1" before?


----------



## Mixxer (Jan 2, 2015)

I am testing this using REAL VNC atm. Firewalls all off with proper port forwarding. Have tested it and confirmed functionality using FrootVPN and the Real IP. All connects working. But not with the ramnode vpn.

Im running a Starwars Galaxies Server and it uses a range of ports. But besides that. I could care less about that atm because if a simple VNC wont work then that def wont. Im not going to edit IP in SQL then restart the game server which takes 5 min each time... too much time...hence why im testing with VNC.

I ran sysctl -w net.ipv4.ip_forward=1 and before have many times verified that it is set to 1. Ramnode actually sets this up preconfigured when you reinstall via Solus VM.

So what can I do from here?


----------

