Init-fence not working on OpenVPN appliance on AWS

[JedMeister]

It has been reported, and confirmed by me, that the web-page provided by the TurnKey init-fence is not serving on the OpenVPN appliance. I haven't yet tested others, so other apps may also be effected.

After some extensive investigations, it doesn't appear to be affecting anything else. After completeing the firstboot initialisation (i.e. inithooks) the default landing page (aka "control panel" aka web-cp) works fine. OpenVPN itself also appears to be working fine.

[JedMeister]

I have confirmed that this is still an issue on v16.0... Argh! 😢

[JedMeister]

Ok, so after having a bit of a play, it seems that the firewall rules (which should be applied by /etc/init.d/turnkey-init-fence are not being applied.

I.e.: with the service not running:

root@openvpn ~# iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12320 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12321 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A f2b-sshd -j RETURN

And with it running:

root@openvpn ~# iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12320 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12321 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A f2b-sshd -j RETURN

Having said that, if I stop the service, then the default (Lighty) site load fine. With the service running, nothing... So it's doing something, of some sort...

[JedMeister]

I've played with this one some more and still haven't been able to resolve it.

I can 100% confirm that the init-fence works as expected on all other appliances.

However it appears that it's the additional -A POSTROUTING -o eth0 -j MASQUERADE rule that the OpenVPN appliance has that is interfering with the function of the init-fence redirects?!

I've tried adjusting it to see if there is a way that we could disable that initially and re-enable it after the init-fence comes down, but I couldn't get it work (most likely my lack of knowledge re networking and iptables rather than something wrong with it).

Unless we can work out the issue and how to work around it without affecting the VPN functionality, I think that perhaps the best way to resolve this for OpenVPN appliance might be for the init-fence to function a little differently (and stop stunnel, openvpn & lighhtpd and host the init-fence html directly on ports 80/443)?!

[OnGle]

I think I might be the best person for this one. Moving to 17.0 for the time being but feel free to ping me if it remains unhandled.

[JedMeister]

@OnGle - I'm going to assign you! :)