Allowing access to my server's ports when the server is connected to OpenVPN (Ubuntu Server 18.10)





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







0















I've recently installed Ubuntu Server 18.10, and would like to open some ports (i.e. SSH, HTTP) to be accessible to the public. However, because of my ISP's constraints (my ISP is on a CGNAT and will not allow me to open ports), I'm connecting the Ubuntu server to a VPN that allows me to forward ports to my local machine via OpenVPN.



I am already able to connect properly to the OpenVPN server, and my VPN already allows port forwarding and has already forwarded the ports from the VPN. I can also ping the Ubuntu Server using my VPN's public IP address. However, I couldn't connect to my Ubuntu Server's ports (22/80) despite forwarding the ports on my VPN server.



Is there something I need to do on my Ubuntu Server to make it work? I'm trying to understand both iptables and ufw, and tried several topics around the Internet, but I couldn't seem to make it work. I'm not a network guy so I hope you could guide me how to set up ufw and/or iptables to allow my Ubuntu Server's ports to be accessible to my VPN's public IP.



Hope someone could help me out. Thanks!



Here's the output of my ufw status, iptables, and ifconfig for reference:



ufw status



$ sudo ufw status verbose

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), deny (routed)

New profiles: skip



To                         Action      From

--                         ------      ----

22                         ALLOW IN    Anywhere

80                         ALLOW IN    Anywhere

22 (v6)                    ALLOW IN    Anywhere (v6)

80 (v6)                    ALLOW IN    Anywhere (v6)


iptables



$ sudo iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

KUBE-FIREWALL  all  --  anywhere             anywhere

KUBE-NODEPORT-NON-LOCAL  all  --  anywhere             anywhere             /* Ensure that non-local NodePort traffic can flow */

ufw-before-logging-input  all  --  anywhere             anywhere

ufw-before-input  all  --  anywhere             anywhere

ufw-after-input  all  --  anywhere             anywhere

ufw-after-logging-input  all  --  anywhere             anywhere

ufw-reject-input  all  --  anywhere             anywhere

ufw-track-input  all  --  anywhere             anywhere



Chain FORWARD (policy DROP)

target     prot opt source               destination

DOCKER-USER  all  --  anywhere             anywhere

DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

DOCKER     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ufw-before-logging-forward  all  --  anywhere             anywhere

ufw-before-forward  all  --  anywhere             anywhere

ufw-after-forward  all  --  anywhere             anywhere

ufw-after-logging-forward  all  --  anywhere             anywhere

ufw-reject-forward  all  --  anywhere             anywhere

ufw-track-forward  all  --  anywhere             anywhere



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

KUBE-FIREWALL  all  --  anywhere             anywhere

ufw-before-logging-output  all  --  anywhere             anywhere

ufw-before-output  all  --  anywhere             anywhere

ufw-after-output  all  --  anywhere             anywhere

ufw-after-logging-output  all  --  anywhere             anywhere

ufw-reject-output  all  --  anywhere             anywhere

ufw-track-output  all  --  anywhere             anywhere



Chain DOCKER (1 references)

target     prot opt source               destination



Chain DOCKER-ISOLATION-STAGE-1 (1 references)

target     prot opt source               destination

DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere

RETURN     all  --  anywhere             anywhere



Chain DOCKER-ISOLATION-STAGE-2 (1 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere

RETURN     all  --  anywhere             anywhere



Chain DOCKER-USER (1 references)

target     prot opt source               destination

RETURN     all  --  anywhere             anywhere



Chain KUBE-FIREWALL (2 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere             /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000



Chain KUBE-NODEPORT-NON-LOCAL (1 references)

target     prot opt source               destination



Chain ufw-after-forward (1 references)

target     prot opt source               destination



Chain ufw-after-input (1 references)

target     prot opt source               destination

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm

ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn

ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc

ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST



Chain ufw-after-logging-forward (1 references)

target     prot opt source               destination

LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "



Chain ufw-after-logging-input (1 references)

target     prot opt source               destination

LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "



Chain ufw-after-logging-output (1 references)

target     prot opt source               destination



Chain ufw-after-output (1 references)

target     prot opt source               destination



Chain ufw-before-forward (1 references)

target     prot opt source               destination


ifconfig



$ sudo ifconfig

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255

        ether 02:42:a9:b0:c9:f2  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.1.254  netmask 255.255.255.0  broadcast 192.168.1.255

        inet6 fe80::20c:29ff:fee1:76a8  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:e1:76:a8  txqueuelen 1000  (Ethernet)

        RX packets 86235  bytes 129085349 (129.0 MB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 21648  bytes 3799697 (3.7 MB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 1000  (Local Loopback)

        RX packets 20111  bytes 4496081 (4.4 MB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 20111  bytes 4496081 (4.4 MB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet xx.xx.xx.xx  netmask xx.xx.xx.xx  destination xx.xx.xx.xx

        inet6 xx:xx:xx:xx:xx:xx  prefixlen xx  scopeid 0x20<link>

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 85482  bytes 118463837 (118.4 MB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 21444  bytes 1207429 (1.2 MB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


netstat



$ netstat -rn

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

0.0.0.0         xx.xx.xx.xxx    128.0.0.0       UG        0 0          0 tun0

0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 ens33

xx.xx.xx.xx      192.168.1.1     255.255.255.255 UGH       0 0          0 ens33

xx.xx.xx.xx    0.0.0.0         255.255.255.192 U         0 0          0 tun0

128.0.0.0       xx.xx.xx.xx    128.0.0.0       UG        0 0          0 tun0

172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0

192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 ens33





server vpn iptables openvpn ufw







share|improve this question

























  • I will try to help you please paste the output of the following commands: sudo ufw status verbose sudo iptables -L sudo ifconfig Please do not paste the internet IP here :)

    – Alpy
    Feb 23 at 18:51











  • Thanks @Alpy. I'm updating my post so you can see the output

    – Jacob Catayoc
    Feb 26 at 15:25













  • How your routing table looks like? Please update question with netstat -rn

    – fugitive
    Feb 26 at 15:41











  • to eliminate any doubts please sudo ufw disable and try again to access and after enabled it back sudo ufw enable

    – Alpy
    Feb 26 at 16:00













  • @Alpy, originally ufw is disabled, but it's no longer working back then. I enabled ufw and allowed ports 22 and 80 but to no avail.

    – Jacob Catayoc
    Feb 26 at 23:19


















0















I've recently installed Ubuntu Server 18.10, and would like to open some ports (i.e. SSH, HTTP) to be accessible to the public. However, because of my ISP's constraints (my ISP is on a CGNAT and will not allow me to open ports), I'm connecting the Ubuntu server to a VPN that allows me to forward ports to my local machine via OpenVPN.



I am already able to connect properly to the OpenVPN server, and my VPN already allows port forwarding and has already forwarded the ports from the VPN. I can also ping the Ubuntu Server using my VPN's public IP address. However, I couldn't connect to my Ubuntu Server's ports (22/80) despite forwarding the ports on my VPN server.



Is there something I need to do on my Ubuntu Server to make it work? I'm trying to understand both iptables and ufw, and tried several topics around the Internet, but I couldn't seem to make it work. I'm not a network guy so I hope you could guide me how to set up ufw and/or iptables to allow my Ubuntu Server's ports to be accessible to my VPN's public IP.



Hope someone could help me out. Thanks!



Here's the output of my ufw status, iptables, and ifconfig for reference:



ufw status



$ sudo ufw status verbose

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), deny (routed)

New profiles: skip



To                         Action      From

--                         ------      ----

22                         ALLOW IN    Anywhere

80                         ALLOW IN    Anywhere

22 (v6)                    ALLOW IN    Anywhere (v6)

80 (v6)                    ALLOW IN    Anywhere (v6)


iptables



$ sudo iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

KUBE-FIREWALL  all  --  anywhere             anywhere

KUBE-NODEPORT-NON-LOCAL  all  --  anywhere             anywhere             /* Ensure that non-local NodePort traffic can flow */

ufw-before-logging-input  all  --  anywhere             anywhere

ufw-before-input  all  --  anywhere             anywhere

ufw-after-input  all  --  anywhere             anywhere

ufw-after-logging-input  all  --  anywhere             anywhere

ufw-reject-input  all  --  anywhere             anywhere

ufw-track-input  all  --  anywhere             anywhere



Chain FORWARD (policy DROP)

target     prot opt source               destination

DOCKER-USER  all  --  anywhere             anywhere

DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

DOCKER     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ufw-before-logging-forward  all  --  anywhere             anywhere

ufw-before-forward  all  --  anywhere             anywhere

ufw-after-forward  all  --  anywhere             anywhere

ufw-after-logging-forward  all  --  anywhere             anywhere

ufw-reject-forward  all  --  anywhere             anywhere

ufw-track-forward  all  --  anywhere             anywhere



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

KUBE-FIREWALL  all  --  anywhere             anywhere

ufw-before-logging-output  all  --  anywhere             anywhere

ufw-before-output  all  --  anywhere             anywhere

ufw-after-output  all  --  anywhere             anywhere

ufw-after-logging-output  all  --  anywhere             anywhere

ufw-reject-output  all  --  anywhere             anywhere

ufw-track-output  all  --  anywhere             anywhere



Chain DOCKER (1 references)

target     prot opt source               destination



Chain DOCKER-ISOLATION-STAGE-1 (1 references)

target     prot opt source               destination

DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere

RETURN     all  --  anywhere             anywhere



Chain DOCKER-ISOLATION-STAGE-2 (1 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere

RETURN     all  --  anywhere             anywhere



Chain DOCKER-USER (1 references)

target     prot opt source               destination

RETURN     all  --  anywhere             anywhere



Chain KUBE-FIREWALL (2 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere             /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000



Chain KUBE-NODEPORT-NON-LOCAL (1 references)

target     prot opt source               destination



Chain ufw-after-forward (1 references)

target     prot opt source               destination



Chain ufw-after-input (1 references)

target     prot opt source               destination

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm

ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn

ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc

ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST



Chain ufw-after-logging-forward (1 references)

target     prot opt source               destination

LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "



Chain ufw-after-logging-input (1 references)

target     prot opt source               destination

LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "



Chain ufw-after-logging-output (1 references)

target     prot opt source               destination



Chain ufw-after-output (1 references)

target     prot opt source               destination



Chain ufw-before-forward (1 references)

target     prot opt source               destination


ifconfig



$ sudo ifconfig

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255

        ether 02:42:a9:b0:c9:f2  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.1.254  netmask 255.255.255.0  broadcast 192.168.1.255

        inet6 fe80::20c:29ff:fee1:76a8  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:e1:76:a8  txqueuelen 1000  (Ethernet)

        RX packets 86235  bytes 129085349 (129.0 MB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 21648  bytes 3799697 (3.7 MB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 1000  (Local Loopback)

        RX packets 20111  bytes 4496081 (4.4 MB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 20111  bytes 4496081 (4.4 MB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet xx.xx.xx.xx  netmask xx.xx.xx.xx  destination xx.xx.xx.xx

        inet6 xx:xx:xx:xx:xx:xx  prefixlen xx  scopeid 0x20<link>

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 85482  bytes 118463837 (118.4 MB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 21444  bytes 1207429 (1.2 MB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


netstat



$ netstat -rn

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

0.0.0.0         xx.xx.xx.xxx    128.0.0.0       UG        0 0          0 tun0

0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 ens33

xx.xx.xx.xx      192.168.1.1     255.255.255.255 UGH       0 0          0 ens33

xx.xx.xx.xx    0.0.0.0         255.255.255.192 U         0 0          0 tun0

128.0.0.0       xx.xx.xx.xx    128.0.0.0       UG        0 0          0 tun0

172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0

192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 ens33





server vpn iptables openvpn ufw







share|improve this question

























  • I will try to help you please paste the output of the following commands: sudo ufw status verbose sudo iptables -L sudo ifconfig Please do not paste the internet IP here :)

    – Alpy
    Feb 23 at 18:51











  • Thanks @Alpy. I'm updating my post so you can see the output

    – Jacob Catayoc
    Feb 26 at 15:25













  • How your routing table looks like? Please update question with netstat -rn

    – fugitive
    Feb 26 at 15:41











  • to eliminate any doubts please sudo ufw disable and try again to access and after enabled it back sudo ufw enable

    – Alpy
    Feb 26 at 16:00













  • @Alpy, originally ufw is disabled, but it's no longer working back then. I enabled ufw and allowed ports 22 and 80 but to no avail.

    – Jacob Catayoc
    Feb 26 at 23:19














0












0








0








I've recently installed Ubuntu Server 18.10, and would like to open some ports (i.e. SSH, HTTP) to be accessible to the public. However, because of my ISP's constraints (my ISP is on a CGNAT and will not allow me to open ports), I'm connecting the Ubuntu server to a VPN that allows me to forward ports to my local machine via OpenVPN.



I am already able to connect properly to the OpenVPN server, and my VPN already allows port forwarding and has already forwarded the ports from the VPN. I can also ping the Ubuntu Server using my VPN's public IP address. However, I couldn't connect to my Ubuntu Server's ports (22/80) despite forwarding the ports on my VPN server.



Is there something I need to do on my Ubuntu Server to make it work? I'm trying to understand both iptables and ufw, and tried several topics around the Internet, but I couldn't seem to make it work. I'm not a network guy so I hope you could guide me how to set up ufw and/or iptables to allow my Ubuntu Server's ports to be accessible to my VPN's public IP.



Hope someone could help me out. Thanks!



Here's the output of my ufw status, iptables, and ifconfig for reference:



ufw status



$ sudo ufw status verbose

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), deny (routed)

New profiles: skip



To                         Action      From

--                         ------      ----

22                         ALLOW IN    Anywhere

80                         ALLOW IN    Anywhere

22 (v6)                    ALLOW IN    Anywhere (v6)

80 (v6)                    ALLOW IN    Anywhere (v6)


iptables



$ sudo iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

KUBE-FIREWALL  all  --  anywhere             anywhere

KUBE-NODEPORT-NON-LOCAL  all  --  anywhere             anywhere             /* Ensure that non-local NodePort traffic can flow */

ufw-before-logging-input  all  --  anywhere             anywhere

ufw-before-input  all  --  anywhere             anywhere

ufw-after-input  all  --  anywhere             anywhere

ufw-after-logging-input  all  --  anywhere             anywhere

ufw-reject-input  all  --  anywhere             anywhere

ufw-track-input  all  --  anywhere             anywhere



Chain FORWARD (policy DROP)

target     prot opt source               destination

DOCKER-USER  all  --  anywhere             anywhere

DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

DOCKER     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ufw-before-logging-forward  all  --  anywhere             anywhere

ufw-before-forward  all  --  anywhere             anywhere

ufw-after-forward  all  --  anywhere             anywhere

ufw-after-logging-forward  all  --  anywhere             anywhere

ufw-reject-forward  all  --  anywhere             anywhere

ufw-track-forward  all  --  anywhere             anywhere



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

KUBE-FIREWALL  all  --  anywhere             anywhere

ufw-before-logging-output  all  --  anywhere             anywhere

ufw-before-output  all  --  anywhere             anywhere

ufw-after-output  all  --  anywhere             anywhere

ufw-after-logging-output  all  --  anywhere             anywhere

ufw-reject-output  all  --  anywhere             anywhere

ufw-track-output  all  --  anywhere             anywhere



Chain DOCKER (1 references)

target     prot opt source               destination



Chain DOCKER-ISOLATION-STAGE-1 (1 references)

target     prot opt source               destination

DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere

RETURN     all  --  anywhere             anywhere



Chain DOCKER-ISOLATION-STAGE-2 (1 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere

RETURN     all  --  anywhere             anywhere



Chain DOCKER-USER (1 references)

target     prot opt source               destination

RETURN     all  --  anywhere             anywhere



Chain KUBE-FIREWALL (2 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere             /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000



Chain KUBE-NODEPORT-NON-LOCAL (1 references)

target     prot opt source               destination



Chain ufw-after-forward (1 references)

target     prot opt source               destination



Chain ufw-after-input (1 references)

target     prot opt source               destination

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm

ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn

ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc

ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST



Chain ufw-after-logging-forward (1 references)

target     prot opt source               destination

LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "



Chain ufw-after-logging-input (1 references)

target     prot opt source               destination

LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "



Chain ufw-after-logging-output (1 references)

target     prot opt source               destination



Chain ufw-after-output (1 references)

target     prot opt source               destination



Chain ufw-before-forward (1 references)

target     prot opt source               destination


ifconfig



$ sudo ifconfig

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255

        ether 02:42:a9:b0:c9:f2  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.1.254  netmask 255.255.255.0  broadcast 192.168.1.255

        inet6 fe80::20c:29ff:fee1:76a8  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:e1:76:a8  txqueuelen 1000  (Ethernet)

        RX packets 86235  bytes 129085349 (129.0 MB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 21648  bytes 3799697 (3.7 MB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 1000  (Local Loopback)

        RX packets 20111  bytes 4496081 (4.4 MB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 20111  bytes 4496081 (4.4 MB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet xx.xx.xx.xx  netmask xx.xx.xx.xx  destination xx.xx.xx.xx

        inet6 xx:xx:xx:xx:xx:xx  prefixlen xx  scopeid 0x20<link>

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 85482  bytes 118463837 (118.4 MB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 21444  bytes 1207429 (1.2 MB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


netstat



$ netstat -rn

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

0.0.0.0         xx.xx.xx.xxx    128.0.0.0       UG        0 0          0 tun0

0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 ens33

xx.xx.xx.xx      192.168.1.1     255.255.255.255 UGH       0 0          0 ens33

xx.xx.xx.xx    0.0.0.0         255.255.255.192 U         0 0          0 tun0

128.0.0.0       xx.xx.xx.xx    128.0.0.0       UG        0 0          0 tun0

172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0

192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 ens33





server vpn iptables openvpn ufw







share|improve this question
















I've recently installed Ubuntu Server 18.10, and would like to open some ports (i.e. SSH, HTTP) to be accessible to the public. However, because of my ISP's constraints (my ISP is on a CGNAT and will not allow me to open ports), I'm connecting the Ubuntu server to a VPN that allows me to forward ports to my local machine via OpenVPN.



I am already able to connect properly to the OpenVPN server, and my VPN already allows port forwarding and has already forwarded the ports from the VPN. I can also ping the Ubuntu Server using my VPN's public IP address. However, I couldn't connect to my Ubuntu Server's ports (22/80) despite forwarding the ports on my VPN server.



Is there something I need to do on my Ubuntu Server to make it work? I'm trying to understand both iptables and ufw, and tried several topics around the Internet, but I couldn't seem to make it work. I'm not a network guy so I hope you could guide me how to set up ufw and/or iptables to allow my Ubuntu Server's ports to be accessible to my VPN's public IP.



Hope someone could help me out. Thanks!



Here's the output of my ufw status, iptables, and ifconfig for reference:



ufw status



$ sudo ufw status verbose

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), deny (routed)

New profiles: skip



To                         Action      From

--                         ------      ----

22                         ALLOW IN    Anywhere

80                         ALLOW IN    Anywhere

22 (v6)                    ALLOW IN    Anywhere (v6)

80 (v6)                    ALLOW IN    Anywhere (v6)


iptables



$ sudo iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

KUBE-FIREWALL  all  --  anywhere             anywhere

KUBE-NODEPORT-NON-LOCAL  all  --  anywhere             anywhere             /* Ensure that non-local NodePort traffic can flow */

ufw-before-logging-input  all  --  anywhere             anywhere

ufw-before-input  all  --  anywhere             anywhere

ufw-after-input  all  --  anywhere             anywhere

ufw-after-logging-input  all  --  anywhere             anywhere

ufw-reject-input  all  --  anywhere             anywhere

ufw-track-input  all  --  anywhere             anywhere



Chain FORWARD (policy DROP)

target     prot opt source               destination

DOCKER-USER  all  --  anywhere             anywhere

DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

DOCKER     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ufw-before-logging-forward  all  --  anywhere             anywhere

ufw-before-forward  all  --  anywhere             anywhere

ufw-after-forward  all  --  anywhere             anywhere

ufw-after-logging-forward  all  --  anywhere             anywhere

ufw-reject-forward  all  --  anywhere             anywhere

ufw-track-forward  all  --  anywhere             anywhere



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

KUBE-FIREWALL  all  --  anywhere             anywhere

ufw-before-logging-output  all  --  anywhere             anywhere

ufw-before-output  all  --  anywhere             anywhere

ufw-after-output  all  --  anywhere             anywhere

ufw-after-logging-output  all  --  anywhere             anywhere

ufw-reject-output  all  --  anywhere             anywhere

ufw-track-output  all  --  anywhere             anywhere



Chain DOCKER (1 references)

target     prot opt source               destination



Chain DOCKER-ISOLATION-STAGE-1 (1 references)

target     prot opt source               destination

DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere

RETURN     all  --  anywhere             anywhere



Chain DOCKER-ISOLATION-STAGE-2 (1 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere

RETURN     all  --  anywhere             anywhere



Chain DOCKER-USER (1 references)

target     prot opt source               destination

RETURN     all  --  anywhere             anywhere



Chain KUBE-FIREWALL (2 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere             /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000



Chain KUBE-NODEPORT-NON-LOCAL (1 references)

target     prot opt source               destination



Chain ufw-after-forward (1 references)

target     prot opt source               destination



Chain ufw-after-input (1 references)

target     prot opt source               destination

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm

ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn

ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps

ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc

ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST



Chain ufw-after-logging-forward (1 references)

target     prot opt source               destination

LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "



Chain ufw-after-logging-input (1 references)

target     prot opt source               destination

LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "



Chain ufw-after-logging-output (1 references)

target     prot opt source               destination



Chain ufw-after-output (1 references)

target     prot opt source               destination



Chain ufw-before-forward (1 references)

target     prot opt source               destination


ifconfig



$ sudo ifconfig

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255

        ether 02:42:a9:b0:c9:f2  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.1.254  netmask 255.255.255.0  broadcast 192.168.1.255

        inet6 fe80::20c:29ff:fee1:76a8  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:e1:76:a8  txqueuelen 1000  (Ethernet)

        RX packets 86235  bytes 129085349 (129.0 MB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 21648  bytes 3799697 (3.7 MB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 1000  (Local Loopback)

        RX packets 20111  bytes 4496081 (4.4 MB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 20111  bytes 4496081 (4.4 MB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet xx.xx.xx.xx  netmask xx.xx.xx.xx  destination xx.xx.xx.xx

        inet6 xx:xx:xx:xx:xx:xx  prefixlen xx  scopeid 0x20<link>

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 85482  bytes 118463837 (118.4 MB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 21444  bytes 1207429 (1.2 MB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


netstat



$ netstat -rn

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

0.0.0.0         xx.xx.xx.xxx    128.0.0.0       UG        0 0          0 tun0

0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 ens33

xx.xx.xx.xx      192.168.1.1     255.255.255.255 UGH       0 0          0 ens33

xx.xx.xx.xx    0.0.0.0         255.255.255.192 U         0 0          0 tun0

128.0.0.0       xx.xx.xx.xx    128.0.0.0       UG        0 0          0 tun0

172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0

192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 ens33





server vpn iptables openvpn ufw




server vpn iptables openvpn ufw






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 26 at 23:21







Jacob Catayoc

















asked Feb 23 at 16:41









Jacob CatayocJacob Catayoc

11




11













  • I will try to help you please paste the output of the following commands: sudo ufw status verbose sudo iptables -L sudo ifconfig Please do not paste the internet IP here :)

    – Alpy
    Feb 23 at 18:51











  • Thanks @Alpy. I'm updating my post so you can see the output

    – Jacob Catayoc
    Feb 26 at 15:25













  • How your routing table looks like? Please update question with netstat -rn

    – fugitive
    Feb 26 at 15:41











  • to eliminate any doubts please sudo ufw disable and try again to access and after enabled it back sudo ufw enable

    – Alpy
    Feb 26 at 16:00













  • @Alpy, originally ufw is disabled, but it's no longer working back then. I enabled ufw and allowed ports 22 and 80 but to no avail.

    – Jacob Catayoc
    Feb 26 at 23:19



















  • I will try to help you please paste the output of the following commands: sudo ufw status verbose sudo iptables -L sudo ifconfig Please do not paste the internet IP here :)

    – Alpy
    Feb 23 at 18:51











  • Thanks @Alpy. I'm updating my post so you can see the output

    – Jacob Catayoc
    Feb 26 at 15:25













  • How your routing table looks like? Please update question with netstat -rn

    – fugitive
    Feb 26 at 15:41











  • to eliminate any doubts please sudo ufw disable and try again to access and after enabled it back sudo ufw enable

    – Alpy
    Feb 26 at 16:00













  • @Alpy, originally ufw is disabled, but it's no longer working back then. I enabled ufw and allowed ports 22 and 80 but to no avail.

    – Jacob Catayoc
    Feb 26 at 23:19

















I will try to help you please paste the output of the following commands: sudo ufw status verbose sudo iptables -L sudo ifconfig Please do not paste the internet IP here :)

– Alpy
Feb 23 at 18:51





I will try to help you please paste the output of the following commands: sudo ufw status verbose sudo iptables -L sudo ifconfig Please do not paste the internet IP here :)

– Alpy
Feb 23 at 18:51













Thanks @Alpy. I'm updating my post so you can see the output

– Jacob Catayoc
Feb 26 at 15:25







Thanks @Alpy. I'm updating my post so you can see the output

– Jacob Catayoc
Feb 26 at 15:25















How your routing table looks like? Please update question with netstat -rn

– fugitive
Feb 26 at 15:41





How your routing table looks like? Please update question with netstat -rn

– fugitive
Feb 26 at 15:41













to eliminate any doubts please sudo ufw disable and try again to access and after enabled it back sudo ufw enable

– Alpy
Feb 26 at 16:00







to eliminate any doubts please sudo ufw disable and try again to access and after enabled it back sudo ufw enable

– Alpy
Feb 26 at 16:00















@Alpy, originally ufw is disabled, but it's no longer working back then. I enabled ufw and allowed ports 22 and 80 but to no avail.

– Jacob Catayoc
Feb 26 at 23:19





@Alpy, originally ufw is disabled, but it's no longer working back then. I enabled ufw and allowed ports 22 and 80 but to no avail.

– Jacob Catayoc
Feb 26 at 23:19










0






active

oldest

votes












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1120651%2fallowing-access-to-my-servers-ports-when-the-server-is-connected-to-openvpn-ub%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1120651%2fallowing-access-to-my-servers-ports-when-the-server-is-connected-to-openvpn-ub%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Biblatex bibliography style without URLs when DOI exists (in Overleaf with Zotero bibliography)

Image
2 2 I have a Zotero bibliography in Overleaf. I use biblatex . usepackage[backend=biber,citestyle=authoryear]{biblatex} addbibresource{zoteroALH.bib} Bibliography entries look like: @book{de_saint-gervais_uniformization_2016, title = {Uniformization of {Riemann} {Surfaces}}, isbn = {978-3-03719-145-3}, url = {https://www.ems-ph.org/books/book.php?proj_nr=198&srch=series%7Chem}, urldate = {2019-02-03}, author = {de Saint-Gervais, Paul Henri}, year = {2016}, doi = {10.4171/145} } In the bibliography down the paper the reference shows like this: There is the DOI, great, but also the URL which is unnecessary when the DOI is there. How can I remove the URL when the DOI is present? biblatex bibliographies overleaf zote
Read more

ComboBox Display Member on multiple fields

Image
2 I'm trying to set the .DisplayMember property of a ComboBox in C#, but I want to bind it to multiple columns in the .DataSouce . My SQL looks like this: SELECT PersNbr, PersFirstName, PersMiddleName, PersLastName FROM Pers WHERE PersNbr = :persNbr; I'm saving this query in a DataTable so each column selected has it's own column in the Datatable . I want to make the .DisplayMember a combination of PersFirstName + PersMiddleName + PersLastName so their full name appears like this: comboBox.DisplayMemeber = "PersFirstName" + "PersMiddleName" + "PersLastName" I know I can just to this on the query: SELECT PersNbr, (PersFirstName || PersMiddleName || PersLastName) PersName and then just do this: comboBox.DisplayMember = "PersName"; but I
Read more

Is it possible to collect Nectar points via Trainline?

Image
2 Since I am not eligible for any Railcard, the only available discount/bonus scheme is Nectar Card for me. GWR, SWR, LNER and Virgin Trains allow to collect Nectar points and I have already linked a card to my GWR account. A friend suggested me to use Trainline App, because it can search for bus tickets either. I had a look at the application, but could not see any option for Nectar. Is there a way to collect Nectar points when I buy tickets via Trainline? uk trains loyalty-programs trainline share | improve this question asked Dec 2 '18 at 15:50 ahmedus 3,224 5 19 49
Read more