[leaf-user] OpenVPN running in DMZ using Bering uClibc 3.1

[Doug Sampson]

Hello,

I'm experimenting with a dd-wrt type wireless access point in a DMZ
setting using a three NIC router. I do not want to expose the WAP to the
Internet- thus it sits in the DMZ. The network is as follows;

                           INTERNET
                              |
                              |
                           FIREWALL---------DMZ <<<<<<<<<< WAP
                              |         10.8.2.x        10.8.2.5
                              |
                             LAN
                          10.8.1.x

I have been using OpenVPN successfully authenticating road warriors for
years. They connect to the WAN card on the router. I used this
documentation:

http://www.shorewall.net/3.0/OPENVPN.html

in configuring the firewall for OpenVPN access.

Now, the WAP has a fixed IP address in the DMZ zone and uses the
firewall as the gateway to the Internet. I can connect to the Internet
using a wireless client connected to the WAP in the DMZ zone. 

I tried using the stock OpenVPN client configuration that worked well in
the Internet behind the DMZ and it fails. I modified the
/etc/shorewall/tunnels as follows:

#TYPE                   ZONE    GATEWAY         GATEWAY

#                                               ZONE

openvpnserver           net     0.0.0.0/0

openvpnserver           dmz     0.0.0.0/0

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Reading the rest of the documentation, it appears there is nothing else
I need to do. However, when I attempt to connect using OpenVPN from a
wireless client with an IP address in the DMZ zone, I fail to connect. I
get repeated error messages as follows:

Tue Mar 29 17:27:00 2011 TCP/UDP: Incoming packet rejected from
10.8.2.254:1194[2], expected peer address: 10.8.1.254:1194 (allow this
incoming source address/port by removing --remote or adding --float)

I've restarted Shorewall after making the configuration change but not
the system. What am I missing? There isn't any documentation showing a
setup allowing OpenVPN connections from both the Internet and the DMZ.

Or is OpenVPN designed to handle one zone only?

~Doug

------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/