Learn about Centmin Mod LEMP Stack today
Become a Member

Sysadmin csf problem with vpnserver

Discussion in 'System Administration' started by EckyBrazzz, Nov 2, 2019.

Tags:
  1. EckyBrazzz

    EckyBrazzz Active Member

    868
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    9:53 AM
    Latest
    Latest
    On some servers I have for a long time csf -x because it getting in the way with a VPN

    I can select whatever port number to change the default to another, but if I have csf up and running I can't connect

    Some outputs:


    Code (Text):
    csf -p | grep vpnserver
    992/tcp    -/-  -     (1791/root)          /usr/local/vpnserver/vpnserver execsvc  /usr/local/vpnserver/vpnserver
    1194/tcp   4/6  -     (1791/root)          /usr/local/vpnserver/vpnserver execsvc  /usr/local/vpnserver/vpnserver
    1195/tcp   -/-  -     (1791/root)          /usr/local/vpnserver/vpnserver execsvc  /usr/local/vpnserver/vpnserver
    5555/tcp   -/-  1     (1791/root)          /usr/local/vpnserver/vpnserver execsvc  /usr/local/vpnserver/vpnserver
    500/udp    -/-  -     (1791/root)          /usr/local/vpnserver/vpnserver execsvc  /usr/local/vpnserver/vpnserver
    1194/udp   4/-  -     (1791/root)          /usr/local/vpnserver/vpnserver execsvc  /usr/local/vpnserver/vpnserver
    2659/udp   -/-  -     (1791/root)          /usr/local/vpnserver/vpnserver execsvc  /usr/local/vpnserver/vpnserver
    4500/udp   -/-  -     (1791/root)          /usr/local/vpnserver/vpnserver execsvc  /usr/local/vpnserver/vpnserver
    55363/udp  -/-  -     (1790/root)          /usr/local/vpnserver/vpnserver execsvc  /usr/local/vpnserver/vpnserver
    55363/udp  -/-  -     (1791/root)          /usr/local/vpnserver/vpnserver execsvc  /usr/local/vpnserver/vpnserver
    57525/udp  -/-  -     (1791/root)          /usr/local/vpnserver/vpnserver execsvc  /usr/local/vpnserver/vpnserver
    61862/udp  -/-  -     (1791/root)          /usr/local/vpnserver/vpnserver execsvc  /usr/local/vpnserver/vpnserver
    

    And
    Code (Text):
    ss -nlput | grep 1194
    udp    UNCONN     0      0      127.0.0.1:1194                  *:*                   users:(("vpnserver",pid=1791,fd=65))
    udp    UNCONN     0      0      111.222.333.444:1194                  *:*                   users:(("vpnserver",pid=1791,fd=64))
    udp    UNCONN     0      0      10.2.0.113:1194                  *:*                   users:(("vpnserver",pid=1791,fd=61))
    udp    UNCONN     0      0         [::1]:1194               [::]:*                   users:(("vpnserver",pid=1791,fd=70))
    udp    UNCONN     0      0      [fe80::41c:cff:xxxx:e1ed]%eth1:1194               [::]:*                   users:(("vpnserver",pid=1791,fd=69))
    udp    UNCONN     0      0      [fe80::41c:cff:sxxxx:42da]%eth0:1194               [::]:*                   users:(("vpnserver",pid=1791,fd=68))
    udp    UNCONN     0      0      [fe80::41c:cff:xxxx:3aac]%eth2:1194               [::]:*                   users:(("vpnserver",pid=1791,fd=67))
    udp    UNCONN     0      0        [2a04:3541:1000:500:41c:cff:fe04:3aac]:1194               [::]:*                   users:(("vpnserver",pid=1791,fd=66))
    tcp    LISTEN     0      128       *:1194                  *:*                   users:(("vpnserver",pid=1791,fd=40))
    tcp    LISTEN     0      128    [::]:1194               [::]:*                   users:(("vpnserver",pid=1791,fd=41))
    


    This is driving me a little crazy.

    Nothing seems to work, nobody has a clear sollution (nor our friend Google)
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,491
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,728
    Local Time:
    10:53 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for VPN setups.

    However, Centmin Mod users are free to help each other out and ask questions or give answers on this community forum. My hopes are that this community forum evolves so that more veteran long time Centmin Mod users help new Centmin Mod users out :)

    With that said, what VPS type ? Xen, KVM or OpenVZ ? What type of VPN ? Wireguard ? OpenVPN ?

    CSF Firewall would interfere and different steps in iptables/csf config to get it to work for Xen/KVM vs OpenVZ that involve adding OpenVZ iptable rules to a manually created file at /etc/csf/csfpre.sh with iptable specific rules for OpenVZ to work and then chmod +x that file.

    For specific VPN iptables rules, you can place them in /etc/csf/csfpre.sh file you create yourself or if you already have created, append/modify as needed. The /etc/csf/csfpre.sh loads whatever iptable rules before CSF Firewall's iptables rules.

    then make sure /etc/csf/csfpre.sh is executable
    Code (Text):
    chmod +x /etc/csf/csfpre.sh

    then restart CSF firewall
    Code (Text):
    service csf restart

    or
    Code (Text):
    csf -r

    Unfortunately, don't really provide support for stuff like OpenVZ. If you plan to use a VPN, use KVM instead of OpenVZ.
     
  3. eva2000

    eva2000 Administrator Staff Member

    44,491
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,728
    Local Time:
    10:53 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you whitelisted VPN's TCP/UDP IN/OUT ports in CSF Firewall /etc/csf/csf.conf ?
     
  4. EckyBrazzz

    EckyBrazzz Active Member

    868
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    9:53 AM
    Latest
    Latest
    I tried the above, but it won't work, some person at the forum someone told, it's csf and found solution, but he did not post it. And yes whitelisted the ports

    Guess it was removed csf.

    VPS?? When a client calls/mails us to provide service, and they have a VPS we don't accept an order like that. Even if they have a cloud provider (low budget) we tell them better to spend the money elsewhere than spend it to our company and save several $$$ for our services. Most of the time they buy a service at us that we support.