Skip to main content

OpenVPN Support Center

Welcome to the new and improved OpenVPN Support Center.

Search the Support Center

Access Server: Turn off Access Server Management of iptables or nftables

  • Updated

Overview

Access Server automatically manages firewall and network address translation (NAT) rules using either iptables or nftables, depending on the Access Server version and system configuration.

Some organizations prefer to manage these rules manually. In those environments, you can turn off Access Server management of iptables or nftables and maintain the required firewall and routing rules yourself.

Important: We don’t recommend turning off Access Server management of iptables or nftables unless you have experience managing them manually. After disabling firewall management, you're responsiblee for maintaining the rules required for VPN connectivity, routing, and NAT.

Before you begin

Access Server 3.1.0 and newer uses nftables by default on new installations.

If your Access Server uses nftalbes, switch the firewall backend to iptables before continuing:

echo "xtables=iptables" >> /usr/local/openvpn_as/etc/as.conf && systemctl restart openvpnas

Turn off Access Server management of iptables

  1. Run the following commands:

    sacli --key "iptables.vpn.disable.filter" --value "true" ConfigPut
sacli --key "iptables.vpn.disable.nat" --value "true" ConfigPut
sacli --key "iptables.vpn.disable.mangle" --value "true" ConfigPut
sacli start

  2. Restart Access Server:

    service openvpnas restart

Refer to the tutorial for more information:

https://openvpn.net/as-docs/tutorials/tutorial--manage-iptables.html#step-2--turn-off-access-server-s-iptables-management--optional-

Known limitation

When Access Server management of iptables NAT rules is turned off, Access Server can't perform load balancing across multiple OpenVPN daemons.

As a result, your Access Server configuration is limited to:

  • One TCP OpenVPN daemon
  • One UDP OpenVPN daemon

If multiple TCP or UDP daemons are configured, Access Server may fail to start correctly.

Troubleshooting

If Access Server fails to start after disabling iptables management, you may see errors similar to:

"iptables_live": [
  [
    "error",
    "cannot unpack non-iterable NoneType object: svc/svc:701,sagent/iptlive:66,sagent/iptlive:71,sagent/iptlive:102 (TypeError)"
  ]
],
"user": [
  [
    "error",
    "'iptables_live': svc/svc:701,sagent/usersvc:1377,sagent/usersvc:1469 (KeyError)"
  ]
]

To restore service:

  1. Turn Access Server NAT management back on:

    sacli --key "iptables.vpn.disable.nat" --value "false" ConfigPut

  2. Restart Access Server:

    service openvpnas restart

  3. Configure a single TCP and UDP daemon:

    sacli --key "vpn.server.daemon.tcp.n_daemons" --value "1" ConfigPut
sacli --key "vpn.server.daemon.udp.n_daemons" --value "1" ConfigPut
sacli start

  4. Turn off iptables NAT management again:

    sacli --key "iptables.vpn.disable.nat" --value "true" ConfigPut

  5. Restart Access Server:

    service openvpnas restart

 

If you have additional questions or encounter issues, submit a support ticket.

Comments

0 comments

Please sign in to leave a comment.