[Shorewall-users] Shorewall, OpenVPN, and DNS

Mon, 25 Jun 2007 10:59:33 -0700 

I have somewhat of a normal Road warrior  configuration set up utilizing
Shorewall and OpenVPN.

The remote clients are not running shorewall, just a standard OpenVPN client.

The tun0 device on the shorewall server is configured like the following:
tun0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.16.99.1  P-t-P:172.16.99.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

I have a Linux VPN client that connects and gets assigned the IP address
172.16.99.10.  I also have up/down scripts in place that update
/etc/resolv.conf so that its DNS server gets updated with the IP address
172.16.99.1.

Unfortunately a Shorewall:all2all:REJECT: message is logged when making
DNS queries.

The OpenVPN client can talk to the inside LAN which the shorewall server
is protecting, but it does not appear to be able to talk to the
172.16.99.0/24 leg which is the subnet of the tunnel.

I do have a a rule:
DNS/ACCEPT      road    fw

and a policy
ACCEPT          fw      road

Also the proper routes get pushed to the VPN client so that the protected
LAN subnet and the 172.16.99.0/24 sub-net go out the tun0 interface.

I have tried various configurations with the shorewall/masq,
shorewall/rfc1918, shorewall/tunnels file, but no combination appears to
allow me to query the DNS server that is running on the shorewall server.

The current entries look like the following:

shorewall/masq:
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
eth2                    eth0
eth2                    eth1
eth0                    172.16.99.0/24

shorewall/rfc1918
#SUBNET                 TARGET
192.168.1.1             RETURN
172.16.99.0/24          RETURN          # RFC 1918
192.168.168.0/24        logdrop         # RFC 1918
10.0.0.0/24             logdrop         # RFC 1918

shorewall/tunnels
#TYPE                   ZONE    GATEWAY         GATEWAY
#                                               ZONE
openvpnserver:1194      inet    0.0.0.0/0

Also note that the DNS server is listening on the 172.16.99.1 address.

I am hoping that someone knows what I am doing wrong based on the
information that has been provided.  If a full shorewall report is needed,
please let me know and I can provide that information.

Thank You.

-- 
Scott



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to