Hello @reinob and @Aki, I liked and followed your suggestions about removing/disabling the firewall for troubleshooting....
So I stopped, disabled and uninstall firewalld. Just to check that it wasn't that I did something wrong within the firewalld app, after removing the firewalld from the system I installed the ufw firewall and opened the 1194 UDP port using ufw. But after running the openvpn instances I still couldn't ping the server from the client.
I stopped, disabled and removed ufw as well. So now I think I have not any frontend firewall apps running, just the backend nftables. I know this via the command: sudo systemctl --type=service and among many other services I can see this line:
I also checked the service is enabled and running.
I rebooted the system just in case, and the firewall frontends ufw or firewalld are still disabled and nftables loaded. I guess I don't need to turn off nftables since now the rule sets are kepted to a minimum, but please, tell me if I should do something to completely remove any firewall rules.
I'm providing here some info of how the server is at the moment. Note that Debian 12 comes with nftables by default, I've never used or tried to install iptables.
Note that the above command, "sudo nft list ruleset", used to show a much longer list of rules (you can see that in one of my previous messages).
(I read that although I can use iptables command, it is just kept as a wrapper for nftables).
One interesting thing noticed is that, apart from not being able to ping the server from the client when the openvpn tunnel is running (ping 10.9.8.1 from the client) I can not ping any other sites either and this is strange since I remember I had no problem pinging in the past.
So I can not ping "gugle", debian.forums, etc., or my own public ip. Here are the outputs of the ping command showing 100% packet lost:
The only thing that works is to ping localhost (127.0.0.1):Although I can not ping external sites, I can nmap:
I haven't opened ports through any firewall rules in the server yet. when I am not running any openvpn instances, port 1194 udp is closed:
But if I run an openvpn instance from the server, the ports appears open with that nc command:
If I use the nmap command to check the 1194 port. When openvpn is not running that port doesn't show, only 123/udp and 5353/udp:And when I run openvpn, the output of nmap is exactly the same as before, no 1194 port appears.
The "ss -tuln" command yields a similar output to the "nc" command commented above. Only shows the 1194 port when the openvpn is running. To sumup the output I only showed two lines, the remaining lines were replaced by [...].
Finally I have just checked that if I connect my server PC to the internet using my mobile data (using the android option 'personal hotspot') I can ping any external sites normally. I got "5 packets transmitted, 5 received, 0% packet loss, time 4006ms".
So from this, should I suppose the problem is in my router? (I didn't change the last router configuration, still keeping the port forwarding setting as I commented earlier, showing a screenshot).
I've installed firewalld again to check if after the firewall 'cleaning' anything had changed:
Checked that it is enabled and running:I opened the 1194 port again (but it wasn't necessary since it seems it kepts the old rules somewhere). And now the nftables have the long list of rules.
I still can't ping external sites or the server (ping 10.9.8.1 from the client).
Please, I would appreciate further suggestions to try debug this connectivity issue.
So I stopped, disabled and uninstall firewalld. Just to check that it wasn't that I did something wrong within the firewalld app, after removing the firewalld from the system I installed the ufw firewall and opened the 1194 UDP port using ufw. But after running the openvpn instances I still couldn't ping the server from the client.
I stopped, disabled and removed ufw as well. So now I think I have not any frontend firewall apps running, just the backend nftables. I know this via the command: sudo systemctl --type=service and among many other services I can see this line:
Code:
>>> sudo systemctl --type=service UNIT LOAD ACTIVE SUB DESCRIPTION nftables.service loaded active exited nftablesCode:
>>> sudo systemctl status nftables.service ● nftables.service - nftables Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset: ena> Active: active (exited) since Tue 2025-01-28 04:09:14 CET; 1h 44min ago Docs: man:nft(8) http://wiki.nftables.org Main PID: 318 (code=exited, status=0/SUCCESS) CPU: 16msI rebooted the system just in case, and the firewall frontends ufw or firewalld are still disabled and nftables loaded. I guess I don't need to turn off nftables since now the rule sets are kepted to a minimum, but please, tell me if I should do something to completely remove any firewall rules.
I'm providing here some info of how the server is at the moment. Note that Debian 12 comes with nftables by default, I've never used or tried to install iptables.
Code:
>>> sudo nft list rulesettable inet filter {chain input {type filter hook input priority filter; policy accept;}chain forward {type filter hook forward priority filter; policy accept;}chain output {type filter hook output priority filter; policy accept;}}Code:
>>> sudo iptables -LChain INPUT (policy ACCEPT)target prot opt source destination Chain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination One interesting thing noticed is that, apart from not being able to ping the server from the client when the openvpn tunnel is running (ping 10.9.8.1 from the client) I can not ping any other sites either and this is strange since I remember I had no problem pinging in the past.
So I can not ping "gugle", debian.forums, etc., or my own public ip. Here are the outputs of the ping command showing 100% packet lost:
Code:
>>> ping -c 5 wiki.debian.orgPING wilder.debian.org (82.195.75.112) 56(84) bytes of data.--- wilder.debian.org ping statistics ---5 packets transmitted, 0 received, 100% packet loss, time 4094ms>>> ping -c 5 forums.debian.netPING forums.debian.net (159.69.48.177) 56(84) bytes of data.--- forums.debian.net ping statistics ---5 packets transmitted, 0 received, 100% packet loss, time 4073ms>>> ping -c 5 xxx.xxx.xxx.xxx ##(public ip of server)PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.--- xxx.xxx.xxx.xxx ping statistics ---5 packets transmitted, 0 received, 100% packet loss, time 4073msCode:
>>> ping -c 5 localhostPING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.038 ms64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.029 ms64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.037 ms64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.033 ms64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.059 ms--- 127.0.0.1 ping statistics ---5 packets transmitted, 5 received, 0% packet loss, time 4097msrtt min/avg/max/mdev = 0.029/0.039/0.059/0.010 msCode:
nmap -sT forums.debian.netStarting Nmap 7.93 ( https://nmap.org ) at 2025-01-28 06:37 CETNmap scan report for forums.debian.net (159.69.48.177)Host is up (0.081s latency).Other addresses for forums.debian.net (not scanned): 2a01:4f8:1c17:7bb3::1Not shown: 994 closed tcp ports (conn-refused)PORT STATE SERVICE25/tcp open smtp80/tcp open http143/tcp open imap443/tcp open https587/tcp open submission993/tcp open imapsNmap done: 1 IP address (1 host up) scanned in 2.71 secondsI haven't opened ports through any firewall rules in the server yet. when I am not running any openvpn instances, port 1194 udp is closed:
Code:
>>> nc -zv -u 127.0.0.1 1194localhost [127.0.0.1] 1194 (openvpn) : Connection refusedCode:
>>> nc -zv -u 127.0.0.1 1194localhost [127.0.0.1] 1194 (openvpn) openCode:
>>> sudo nmap -sU localhost Starting Nmap 7.93 ( https://nmap.org ) at 2025-01-28 06:22 CETNmap scan report for localhost (127.0.0.1)Host is up (0.0000060s latency).Other addresses for localhost (not scanned): ::1Not shown: 998 closed udp ports (port-unreach)PORT STATE SERVICE123/udp open ntp5353/udp open|filtered zeroconfNmap done: 1 IP address (1 host up) scanned in 1.36 secondsThe "ss -tuln" command yields a similar output to the "nc" command commented above. Only shows the 1194 port when the openvpn is running. To sumup the output I only showed two lines, the remaining lines were replaced by [...].
Code:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process [...]udp UNCONN 0 0 0.0.0.0:1194 0.0.0.0:* [...]tcp LISTEN 0 80 127.0.0.1:3316 0.0.0.0:* [...]So from this, should I suppose the problem is in my router? (I didn't change the last router configuration, still keeping the port forwarding setting as I commented earlier, showing a screenshot).
I've installed firewalld again to check if after the firewall 'cleaning' anything had changed:
Code:
>>> sudo apt install firewalldCode:
>>> sudo systemctl status firewalld.service ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; preset: enabled) Active: active (running) since Tue 2025-01-28 06:52:13 CET; 3min 7s ago Docs: man:firewalld(1) Main PID: 17447 (firewalld) Tasks: 2 (limit: 55255) Memory: 28.7M CPU: 643ms CGroup: /system.slice/firewalld.service └─17447 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopidI still can't ping external sites or the server (ping 10.9.8.1 from the client).
Please, I would appreciate further suggestions to try debug this connectivity issue.
Statistics: Posted by anndreih — 2025-01-28 06:06