Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extension MASQUERADE revision 0 not supported #23

Open
Wiley-WL opened this issue May 5, 2024 · 4 comments
Open

Extension MASQUERADE revision 0 not supported #23

Wiley-WL opened this issue May 5, 2024 · 4 comments
Assignees
@d3vilh
Labels
help wanted Extra attention is needed

Comments

@Wiley-WL
Copy link

Wiley-WL commented May 5, 2024

Hello,Anyone know what went wrong?
container logs:

Configuring iptables...
NAT for OpenVPN clients
Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
@d3vilh d3vilh self-assigned this May 5, 2024
@d3vilh
Copy link
Owner

d3vilh commented May 5, 2024

Hi @Wiley-WL
I having déjà vu now.
What Linux distribution do you use?
Could you share these outputs as well:

  • name -a
  • sysctl -p /etc/sysctl.conf
  • lsmod | grep -E "nf_nat|nf_conntrack|nf_conntrack_netlink"
  • iptables --version
  • sudo apt list --installed | grep -i ipt
  • docker logs openvpn

The fast fix is apply echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf; to your host server and restart it, other way lets debug it with the requested logs above.

10x!

@d3vilh d3vilh added the help wanted Extra attention is needed label May 5, 2024
@Wiley-WL
Copy link
Author

Wiley-WL commented May 6, 2024

Hi @Wiley-WL
I having déjà vu now.
What Linux distribution do you use?
Could you share these outputs as well:

  • name -a
  • sysctl -p /etc/sysctl.conf
  • lsmod | grep -E "nf_nat|nf_conntrack|nf_conntrack_netlink"
  • iptables --version
  • sudo apt list --installed | grep -i ipt
  • docker logs openvpn

The fast fix is apply echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf; to your host server and restart it, other way lets debug it with the requested logs above.

10x!

Thank you, I feel like I'm almost successful, but I've run into new issues.

# Warning: iptables-legacy tables present, use iptables-legacy to see them 0 0 DROP 1 -- * * 10.0.71.0/24 0.0.0.0/0 icmptype 8 0 0 DROP 1 -- * * 10.0.71.0/24 0.0.0.0/0 icmptype 0 0 0 DROP 0 -- * * 10.0.71.0/24 192.168.88.0/24 Start openvpn process...

OpenVPN server log:

2024-05-06 09:03:00 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure Options error: --cert fails with 'pki/issued/server.crt': No such file or directory (errno=2) 2024-05-06 09:03:00 WARNING: cannot stat file 'pki/private/server.key': No such file or directory (errno=2) Options error: --key fails with 'pki/private/server.key': No such file or directory (errno=2) Options error: Please correct these errors. Use --help for more information.

I want to know how to get the crt and key of the server.

@d3vilh
Copy link
Owner

d3vilh commented May 6, 2024
edited
Loading

It seems like server can't find your PKI environment.

You could re-create it from the scratch (beware all your certificates will be deleted) if this is not active PKI on production environment.

This can be done with easy from OpenVPN-UI Configuration > Maintenance menu. Just Delete PKI and create it again :)

EDIT: First WARNING we can ignore, management used inside internal docker subnet.

@Wiley-WL
Copy link
Author

Wiley-WL commented May 8, 2024

After the server successfully authenticated, I couldn't access the internet or my home network, and the data flow in the Docker container stopped. I don't know where the problem is.

container:
`3ab7782f018a:/opt/app# ip route show
default via 172.29.0.1 dev eth0
10.0.70.0/24 dev tun0 proto kernel scope link src 10.0.70.1
10.0.71.0/24 via 10.0.70.2 dev tun0
172.29.0.0/16 dev eth0 proto kernel scope link src 172.29.0.2
3ab7782f018a:/opt/app# iptables -L -v

Warning: iptables-legacy tables present, use iptables-legacy to see them

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 4836 packets, 305K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any eth0 10.0.70.0/24 anywhere
0 0 MASQUERADE all -- any eth0 10.0.71.0/24 anywhere
0 0 DROP icmp -- any any 10.0.71.0/24 anywhere icmp echo-request
0 0 DROP icmp -- any any 10.0.71.0/24 anywhere icmp echo-reply
0 0 DROP all -- any any 10.0.71.0/24 192.168.31.0/24

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3ab7782f018a:/opt/app# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1`

client terminal:
`:/ $ ping 172.29.0.2
PING 172.29.0.2 (172.29.0.2) 56(84) bytes of data.
64 bytes from 172.29.0.2: icmp_seq=1 ttl=64 time=105 ms
64 bytes from 172.29.0.2: icmp_seq=2 ttl=64 time=277 ms
64 bytes from 172.29.0.2: icmp_seq=3 ttl=64 time=103 ms
^C

:/ $ ping 10.0.70.1
PING 10.0.70.1 (10.0.70.1) 56(84) bytes of data.
64 bytes from 10.0.70.1: icmp_seq=1 ttl=64 time=163 ms
64 bytes from 10.0.70.1: icmp_seq=2 ttl=64 time=122 ms
64 bytes from 10.0.70.1: icmp_seq=3 ttl=64 time=218 ms
64 bytes from 10.0.70.1: icmp_seq=4 ttl=64 time=36.5 ms
^C

:/ $ ping 172.29.0.1
PING 172.29.0.1 (172.29.0.1) 56(84) bytes of data.
^C
--- 172.29.0.1 ping statistics ---
21 packets transmitted, 0 received, 100% packet loss, time 20430ms`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@d3vilh d3vilh

Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@d3vilh @Wiley-WL