Skip to main content

OpenVPN Support Center

Welcome to the new and improved OpenVPN Support Center.

Search the Support Center

Turn off Access Server management of iptables or nftables

  • Updated

Overview

Some organizations prefer to manage their own kernel-level network filtering and routing rules. In these environments, administrators may choose to turn off Access Server management of iptables or nftables.

Important: We don’t recommend turning off Access Server management of iptables or nftables unless you have experience managing them manually.

Step 1: Change the firewall backend to iptables

New installations of Access Server 3.1.0 use nftables by default. Change the firewall backend to iptables before you continue.

Run the following command:

echo "xtables=iptables" >> /usr/local/openvpn_as/etc/as.conf && systemctl restart openvpnas

Step 2: Turn off Access Server management of iptables

Run the following commands:

sacli --key "iptables.vpn.disable.filter" --value "true" ConfigPut
sacli --key "iptables.vpn.disable.nat" --value "true" ConfigPut
sacli --key "iptables.vpn.disable.mangle" --value "true" ConfigPut
sacli start

Restart the service:

service openvpnas restart

Refer to the tutorial for more information:

https://openvpn.net/as-docs/tutorials/tutorial--manage-iptables.html#step-2--turn-off-access-server-s-iptables-management--optional-

Troubleshooting

If you encounter the following error, Access Server may be configured to use multiple TCP and UDP daemons to utilize all CPU cores:

"iptables_live": [
  [
    "error",
    "cannot unpack non-iterable NoneType object: svc/svc:701,sagent/iptlive:66,sagent/iptlive:71,sagent/iptlive:102 (TypeError)"
  ]
],
"user": [
  [
    "error",
    "'iptables_live': svc/svc:701,sagent/usersvc:1377,sagent/usersvc:1469 (KeyError)"
  ]
]

IPtables handles load balancing between daemons. In case when iptables is disabled  AS cannot handle load balancing and cannot start properly.

If you decide to turn off Access Server management of iptables, you are limited to use only one UDP OpenVPN daemon and one TCP OpenVPN daemon.

To bring your Access Server online perform the following steps:

1. Restore the default NAT management setting:

sacli --key "iptables.vpn.disable.nat" --value "false" ConfigPut

2. Restart the service:

service openvpnas restart

3. Set the number of daemons:

sacli --key "vpn.server.daemon.tcp.n_daemons" --value "1" ConfigPut
sacli --key "vpn.server.daemon.udp.n_daemons" --value "1" ConfigPut
sacli start

4. Turn off iptables NAT management again:

sacli --key "iptables.vpn.disable.nat" --value "true" ConfigPut

5. Restart the service:

service openvpnas restart

If you have additional questions or encounter issues, submit a support ticket.

Comments

0 comments

Please sign in to leave a comment.