Routing ports between VPN and world, eth0,eth1 tun0iptables NAT/Forwarding with external ADSL router; PCs on...
Hacking a Safe Lock after 3 tries
How to create the Curved texte?
Have researchers managed to "reverse time"? If so, what does that mean for physics?
My adviser wants to be the first author
Opacity of an object in 2.8
PTIJ: Who should I vote for? (21st Knesset Edition)
In a future war, an old lady is trying to raise a boy but one of the weapons has made everyone deaf
How can I track script which gives me "command not found" right after the login?
How Could an Airship Be Repaired Mid-Flight
What's the meaning of “spike” in the context of “adrenaline spike”?
Did Ender ever learn that he killed Stilson and/or Bonzo?
how to write formula in word in latex
Why did it take so long to abandon sail after steamships were demonstrated?
Are ETF trackers fundamentally better than individual stocks?
Why does Bach not break the rules here?
Most cost effective thermostat setting: consistent temperature vs. lowest temperature possible
Employee lack of ownership
A sequence that has integer values for prime indexes only:
How to explain that I do not want to visit a country due to personal safety concern?
Do the common programs (for example: "ls", "cat") in Linux and BSD come from the same source code?
Is a party consisting of only a bard, a cleric, and a warlock functional long-term?
Science-fiction short story where space navy wanted hospital ships and settlers had guns mounted everywhere
Instead of Universal Basic Income, why not Universal Basic NEEDS?
If curse and magic is two sides of the same coin, why the former is forbidden?
Routing ports between VPN and world, eth0,eth1 tun0
iptables NAT/Forwarding with external ADSL router; PCs on the network can't access the internetAllowing SSH on a server with an active OpenVPN clientConnect AWS and Azure via OpenVPNNetwork behind OpenVPN clientOpenVPN Access Server: Remote Subnet Cannot Access Client's ResourcesHow to get OpenVPN Client (Mikrotik RouterOS) <-> OpenVPN server (Debian/Linux) setup to workUFW blocks permitted portsubuntu allow local ip address to connect to other local machine using sshopenvpn: can't manage to control client-to-client connections with iptablesLinux: Bridging two ethernet connections together to allow second host onto first network
0
VPN client with static address 10.8.0.2 exposes ports 80 and 5000. I need to forward ports 80 and 5000 on server from NICs to the client, so i can access "forwarded" ports from outside of the VPN network.
I've setup a 18.04 server for this, added second NIC, added basic configs (below), but VPN port forwarding does not work. NICs only respond for ICMP requests (ping works for both IPs) from outside, but it is not usable to connect to my ports.
The setup does not work as expected - VPN port forwarding is not working at all.
telnetcan't connect to this ports from outside (NIC1 IP =timeout, NIC2 IP =connection refused)- ping from outside for both NICs works
- i've tried the tutorial Bridging and Routing from Openvpn and its iptables samples, none seem to work
- from inside the server, i can
ping -I <dev> 8.8.8.8both withens5andens6
Firewall
sysctl net.ipv4.ip_forward is set to 1.
/etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i ens5 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
-A POSTROUTING -s 10.8.0.1/24 -o tun0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
UFW status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
1194/udp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
5000/tcp ALLOW IN Anywhere
Anywhere ALLOW IN 80/tcp
Anywhere on tun0 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
5000/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) ALLOW IN 80/tcp (v6)
Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)
Anywhere ALLOW OUT Anywhere on tun0
80/tcp ALLOW OUT Anywhere on eth0
10.8.0.0/24 ALLOW OUT Anywhere on ens5
Anywhere ALLOW OUT Anywhere on ens5
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
80/tcp (v6) ALLOW OUT Anywhere (v6) on eth0
Anywhere (v6) ALLOW OUT Anywhere (v6) on ens5
Interfaces
ip a
1: lo:
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether aa:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
inet 172.31.39.1/20 brd 172.31.47.255 scope global dynamic ens5
valid_lft 2694sec preferred_lft 2694sec
3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bb:bb:bb:bb:bb:bb brd ff:ff:ff:ff:ff:ff
inet 172.31.39.237/20 brd 172.31.47.255 scope global ens6
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
/etc/netplan/50-cloud-init.yaml
network:
version: 2
ethernets:
ens5: # NIC 1 = 172.31.39.1
dhcp4: true
match:
macaddress: aa:aa:aa:aa:aa:aa
set-name: ens5
/etc/netplan/51-ens6.yaml
network:
version: 2
renderer: networkd
ethernets:
ens6: # NIC 2 = 172.31.39.237
match:
macaddress: bb:bb:bb:bb:bb:bb
dhcp4: no
addresses: [172.31.39.237/20]
routes:
- to: 0.0.0.0/0
via: 172.31.32.1
table: 1000
- to: 172.31.39.1
via: 0.0.0.0
scope: link
table: 1000
routing-policy:
- from: 172.31.39.237
table: 1000
ip rule list
0: from all lookup local
0: from 172.31.39.237 lookup 1000
32766: from all lookup main
32767: from all lookup default
Routing
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.32.1 0.0.0.0 UG 100 0 0 ens5
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens6
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens5
172.31.32.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens5
ip route show table all
default via 172.31.32.1 dev ens6 table 1000 proto static
172.31.39.1 dev ens6 table 1000 proto static scope link
default via 172.31.32.1 dev ens5 proto dhcp src 172.31.39.1 metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
172.31.32.0/20 dev ens6 proto kernel scope link src 172.31.39.237
172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.39.1
172.31.32.1 dev ens5 proto dhcp scope link src 172.31.39.1 metric 100
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.31.32.0 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.32.0 dev ens5 table local proto kernel scope link src 172.31.39.1
local 172.31.39.1 dev ens5 table local proto kernel scope host src 172.31.39.1
local 172.31.39.237 dev ens6 table local proto kernel scope host src 172.31.39.237
broadcast 172.31.47.255 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.47.255 dev ens5 table local proto kernel scope link src 172.31.39.1
local ::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens6 proto kernel metric 256 pref medium
fe80::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::88f:a9ff:fe75:11f2 dev ens6 table local proto kernel metric 0 pref medium
local fe80::894:3dff:fe41:89b4 dev ens5 table local proto kernel metric 0 pref medium
local fe80::7507:4098:a74d:65f8 dev tun0 table local proto kernel metric 0 pref medium
ff00::/8 dev ens6 table local metric 256 pref medium
ff00::/8 dev ens5 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
What am i missing?
ubuntu openvpn ufw ubuntu-18.04 netplan
asked 14 hours ago
CrollCroll
3412
add a comment |
0
VPN client with static address 10.8.0.2 exposes ports 80 and 5000. I need to forward ports 80 and 5000 on server from NICs to the client, so i can access "forwarded" ports from outside of the VPN network.
I've setup a 18.04 server for this, added second NIC, added basic configs (below), but VPN port forwarding does not work. NICs only respond for ICMP requests (ping works for both IPs) from outside, but it is not usable to connect to my ports.
The setup does not work as expected - VPN port forwarding is not working at all.
telnetcan't connect to this ports from outside (NIC1 IP =timeout, NIC2 IP =connection refused)- ping from outside for both NICs works
- i've tried the tutorial Bridging and Routing from Openvpn and its iptables samples, none seem to work
- from inside the server, i can
ping -I <dev> 8.8.8.8both withens5andens6
Firewall
sysctl net.ipv4.ip_forward is set to 1.
/etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i ens5 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
-A POSTROUTING -s 10.8.0.1/24 -o tun0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
UFW status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
1194/udp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
5000/tcp ALLOW IN Anywhere
Anywhere ALLOW IN 80/tcp
Anywhere on tun0 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
5000/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) ALLOW IN 80/tcp (v6)
Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)
Anywhere ALLOW OUT Anywhere on tun0
80/tcp ALLOW OUT Anywhere on eth0
10.8.0.0/24 ALLOW OUT Anywhere on ens5
Anywhere ALLOW OUT Anywhere on ens5
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
80/tcp (v6) ALLOW OUT Anywhere (v6) on eth0
Anywhere (v6) ALLOW OUT Anywhere (v6) on ens5
Interfaces
ip a
1: lo:
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether aa:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
inet 172.31.39.1/20 brd 172.31.47.255 scope global dynamic ens5
valid_lft 2694sec preferred_lft 2694sec
3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bb:bb:bb:bb:bb:bb brd ff:ff:ff:ff:ff:ff
inet 172.31.39.237/20 brd 172.31.47.255 scope global ens6
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
/etc/netplan/50-cloud-init.yaml
network:
version: 2
ethernets:
ens5: # NIC 1 = 172.31.39.1
dhcp4: true
match:
macaddress: aa:aa:aa:aa:aa:aa
set-name: ens5
/etc/netplan/51-ens6.yaml
network:
version: 2
renderer: networkd
ethernets:
ens6: # NIC 2 = 172.31.39.237
match:
macaddress: bb:bb:bb:bb:bb:bb
dhcp4: no
addresses: [172.31.39.237/20]
routes:
- to: 0.0.0.0/0
via: 172.31.32.1
table: 1000
- to: 172.31.39.1
via: 0.0.0.0
scope: link
table: 1000
routing-policy:
- from: 172.31.39.237
table: 1000
ip rule list
0: from all lookup local
0: from 172.31.39.237 lookup 1000
32766: from all lookup main
32767: from all lookup default
Routing
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.32.1 0.0.0.0 UG 100 0 0 ens5
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens6
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens5
172.31.32.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens5
ip route show table all
default via 172.31.32.1 dev ens6 table 1000 proto static
172.31.39.1 dev ens6 table 1000 proto static scope link
default via 172.31.32.1 dev ens5 proto dhcp src 172.31.39.1 metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
172.31.32.0/20 dev ens6 proto kernel scope link src 172.31.39.237
172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.39.1
172.31.32.1 dev ens5 proto dhcp scope link src 172.31.39.1 metric 100
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.31.32.0 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.32.0 dev ens5 table local proto kernel scope link src 172.31.39.1
local 172.31.39.1 dev ens5 table local proto kernel scope host src 172.31.39.1
local 172.31.39.237 dev ens6 table local proto kernel scope host src 172.31.39.237
broadcast 172.31.47.255 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.47.255 dev ens5 table local proto kernel scope link src 172.31.39.1
local ::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens6 proto kernel metric 256 pref medium
fe80::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::88f:a9ff:fe75:11f2 dev ens6 table local proto kernel metric 0 pref medium
local fe80::894:3dff:fe41:89b4 dev ens5 table local proto kernel metric 0 pref medium
local fe80::7507:4098:a74d:65f8 dev tun0 table local proto kernel metric 0 pref medium
ff00::/8 dev ens6 table local metric 256 pref medium
ff00::/8 dev ens5 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
What am i missing?
ubuntu openvpn ufw ubuntu-18.04 netplan
asked 14 hours ago
CrollCroll
3412
add a comment |
0
0
0
VPN client with static address 10.8.0.2 exposes ports 80 and 5000. I need to forward ports 80 and 5000 on server from NICs to the client, so i can access "forwarded" ports from outside of the VPN network.
I've setup a 18.04 server for this, added second NIC, added basic configs (below), but VPN port forwarding does not work. NICs only respond for ICMP requests (ping works for both IPs) from outside, but it is not usable to connect to my ports.
The setup does not work as expected - VPN port forwarding is not working at all.
telnetcan't connect to this ports from outside (NIC1 IP =timeout, NIC2 IP =connection refused)- ping from outside for both NICs works
- i've tried the tutorial Bridging and Routing from Openvpn and its iptables samples, none seem to work
- from inside the server, i can
ping -I <dev> 8.8.8.8both withens5andens6
Firewall
sysctl net.ipv4.ip_forward is set to 1.
/etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i ens5 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
-A POSTROUTING -s 10.8.0.1/24 -o tun0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
UFW status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
1194/udp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
5000/tcp ALLOW IN Anywhere
Anywhere ALLOW IN 80/tcp
Anywhere on tun0 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
5000/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) ALLOW IN 80/tcp (v6)
Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)
Anywhere ALLOW OUT Anywhere on tun0
80/tcp ALLOW OUT Anywhere on eth0
10.8.0.0/24 ALLOW OUT Anywhere on ens5
Anywhere ALLOW OUT Anywhere on ens5
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
80/tcp (v6) ALLOW OUT Anywhere (v6) on eth0
Anywhere (v6) ALLOW OUT Anywhere (v6) on ens5
Interfaces
ip a
1: lo:
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether aa:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
inet 172.31.39.1/20 brd 172.31.47.255 scope global dynamic ens5
valid_lft 2694sec preferred_lft 2694sec
3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bb:bb:bb:bb:bb:bb brd ff:ff:ff:ff:ff:ff
inet 172.31.39.237/20 brd 172.31.47.255 scope global ens6
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
/etc/netplan/50-cloud-init.yaml
network:
version: 2
ethernets:
ens5: # NIC 1 = 172.31.39.1
dhcp4: true
match:
macaddress: aa:aa:aa:aa:aa:aa
set-name: ens5
/etc/netplan/51-ens6.yaml
network:
version: 2
renderer: networkd
ethernets:
ens6: # NIC 2 = 172.31.39.237
match:
macaddress: bb:bb:bb:bb:bb:bb
dhcp4: no
addresses: [172.31.39.237/20]
routes:
- to: 0.0.0.0/0
via: 172.31.32.1
table: 1000
- to: 172.31.39.1
via: 0.0.0.0
scope: link
table: 1000
routing-policy:
- from: 172.31.39.237
table: 1000
ip rule list
0: from all lookup local
0: from 172.31.39.237 lookup 1000
32766: from all lookup main
32767: from all lookup default
Routing
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.32.1 0.0.0.0 UG 100 0 0 ens5
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens6
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens5
172.31.32.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens5
ip route show table all
default via 172.31.32.1 dev ens6 table 1000 proto static
172.31.39.1 dev ens6 table 1000 proto static scope link
default via 172.31.32.1 dev ens5 proto dhcp src 172.31.39.1 metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
172.31.32.0/20 dev ens6 proto kernel scope link src 172.31.39.237
172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.39.1
172.31.32.1 dev ens5 proto dhcp scope link src 172.31.39.1 metric 100
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.31.32.0 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.32.0 dev ens5 table local proto kernel scope link src 172.31.39.1
local 172.31.39.1 dev ens5 table local proto kernel scope host src 172.31.39.1
local 172.31.39.237 dev ens6 table local proto kernel scope host src 172.31.39.237
broadcast 172.31.47.255 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.47.255 dev ens5 table local proto kernel scope link src 172.31.39.1
local ::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens6 proto kernel metric 256 pref medium
fe80::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::88f:a9ff:fe75:11f2 dev ens6 table local proto kernel metric 0 pref medium
local fe80::894:3dff:fe41:89b4 dev ens5 table local proto kernel metric 0 pref medium
local fe80::7507:4098:a74d:65f8 dev tun0 table local proto kernel metric 0 pref medium
ff00::/8 dev ens6 table local metric 256 pref medium
ff00::/8 dev ens5 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
What am i missing?
ubuntu openvpn ufw ubuntu-18.04 netplan
asked 14 hours ago
CrollCroll
3412
VPN client with static address 10.8.0.2 exposes ports 80 and 5000. I need to forward ports 80 and 5000 on server from NICs to the client, so i can access "forwarded" ports from outside of the VPN network.
I've setup a 18.04 server for this, added second NIC, added basic configs (below), but VPN port forwarding does not work. NICs only respond for ICMP requests (ping works for both IPs) from outside, but it is not usable to connect to my ports.
The setup does not work as expected - VPN port forwarding is not working at all.
telnetcan't connect to this ports from outside (NIC1 IP =timeout, NIC2 IP =connection refused)- ping from outside for both NICs works
- i've tried the tutorial Bridging and Routing from Openvpn and its iptables samples, none seem to work
- from inside the server, i can
ping -I <dev> 8.8.8.8both withens5andens6
Firewall
sysctl net.ipv4.ip_forward is set to 1.
/etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i ens5 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
-A POSTROUTING -s 10.8.0.1/24 -o tun0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
UFW status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
1194/udp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
5000/tcp ALLOW IN Anywhere
Anywhere ALLOW IN 80/tcp
Anywhere on tun0 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
5000/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) ALLOW IN 80/tcp (v6)
Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)
Anywhere ALLOW OUT Anywhere on tun0
80/tcp ALLOW OUT Anywhere on eth0
10.8.0.0/24 ALLOW OUT Anywhere on ens5
Anywhere ALLOW OUT Anywhere on ens5
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
80/tcp (v6) ALLOW OUT Anywhere (v6) on eth0
Anywhere (v6) ALLOW OUT Anywhere (v6) on ens5
Interfaces
ip a
1: lo:
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether aa:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
inet 172.31.39.1/20 brd 172.31.47.255 scope global dynamic ens5
valid_lft 2694sec preferred_lft 2694sec
3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bb:bb:bb:bb:bb:bb brd ff:ff:ff:ff:ff:ff
inet 172.31.39.237/20 brd 172.31.47.255 scope global ens6
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
/etc/netplan/50-cloud-init.yaml
network:
version: 2
ethernets:
ens5: # NIC 1 = 172.31.39.1
dhcp4: true
match:
macaddress: aa:aa:aa:aa:aa:aa
set-name: ens5
/etc/netplan/51-ens6.yaml
network:
version: 2
renderer: networkd
ethernets:
ens6: # NIC 2 = 172.31.39.237
match:
macaddress: bb:bb:bb:bb:bb:bb
dhcp4: no
addresses: [172.31.39.237/20]
routes:
- to: 0.0.0.0/0
via: 172.31.32.1
table: 1000
- to: 172.31.39.1
via: 0.0.0.0
scope: link
table: 1000
routing-policy:
- from: 172.31.39.237
table: 1000
ip rule list
0: from all lookup local
0: from 172.31.39.237 lookup 1000
32766: from all lookup main
32767: from all lookup default
Routing
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.32.1 0.0.0.0 UG 100 0 0 ens5
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens6
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens5
172.31.32.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens5
ip route show table all
default via 172.31.32.1 dev ens6 table 1000 proto static
172.31.39.1 dev ens6 table 1000 proto static scope link
default via 172.31.32.1 dev ens5 proto dhcp src 172.31.39.1 metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
172.31.32.0/20 dev ens6 proto kernel scope link src 172.31.39.237
172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.39.1
172.31.32.1 dev ens5 proto dhcp scope link src 172.31.39.1 metric 100
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.31.32.0 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.32.0 dev ens5 table local proto kernel scope link src 172.31.39.1
local 172.31.39.1 dev ens5 table local proto kernel scope host src 172.31.39.1
local 172.31.39.237 dev ens6 table local proto kernel scope host src 172.31.39.237
broadcast 172.31.47.255 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.47.255 dev ens5 table local proto kernel scope link src 172.31.39.1
local ::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens6 proto kernel metric 256 pref medium
fe80::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::88f:a9ff:fe75:11f2 dev ens6 table local proto kernel metric 0 pref medium
local fe80::894:3dff:fe41:89b4 dev ens5 table local proto kernel metric 0 pref medium
local fe80::7507:4098:a74d:65f8 dev tun0 table local proto kernel metric 0 pref medium
ff00::/8 dev ens6 table local metric 256 pref medium
ff00::/8 dev ens5 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
What am i missing?
ubuntu openvpn ufw ubuntu-18.04 netplan
ubuntu openvpn ufw ubuntu-18.04 netplan
asked 14 hours ago
CrollCroll
3412
asked 14 hours ago
CrollCroll
3412
edited 2 mins ago
Croll
asked 14 hours ago
CrollCroll
3412
asked 14 hours ago
CrollCroll
3412
asked 14 hours ago
CrollCroll
3412
3412
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958428%2frouting-ports-between-vpn-and-world-eth0-eth1-tun0%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958428%2frouting-ports-between-vpn-and-world-eth0-eth1-tun0%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
