Hi, Nico Pagliaro wrote: > Hi, I need some help in this problem: > I am having this problem: > > I have my vpn client with openvpn and my shorewall fireall at work with > openvpn > server (in the same server) > Now, I need to route my vpn client traffic to this IP:74.53.205.xxx to be > routed > to my shorewall firewall because I accept connectios on that server only > from > my shorewall external Ip. > The problem is that when I configure my server.conf (openvpn) to push > "route 74.53.205.xxx 255.255.255.255" to the client, I cant access that > server. > What is wrong in my conf?? > > > I have shorewall Shorewall-perl 4.0.3 > My interface configuration is: > eth0:200.40.xx.xx (internet) > eth1:201.221.xx.xx (internet) > eth2:172.16.10.1 (dmz) > eth3:192.168.0.4 (lan) > tun0: 10.8.0.1 (vpn) > > Files:Interfaces > net eth1 detect norfc1918 > net eth0 detect norfc1918 > loc eth3 detect > dmz eth2 detect > vpn tun0 > > Zones: > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > loc ipv4 > dmz ipv4 > vpn ipv4 > > Masq > #INTERFACE SOURCE ADDRESS PROTO PORT(S) > IPSEC MARK > eth1 192.168.0.0/24 201.221.xx.xx > eth1 172.16.10.0/24 201.221.xx.xx > eth1 10.8.0.0/24 201.221.xx.xx > eth0 192.168.0.0/24 200.40.xx.xx > eth0 172.16.10.0/24 200.40.xx.xx > > Policy > #SOURCE DEST POLICY LOG LIMIT:BURST > # LEVEL > loc net ACCEPT > dmz loc ACCEPT info > dmz net DROP info > net all DROP > all all REJECT info > vpn net ACCEPT info > vpn fw ACCEPT info > I'd list the vpn policy before the drop/reject policy here.
> Providers > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > ded 1 1 main eth1 201.221.xx.xx > track eth2,eth3 Without a shorewall dump this is a just a guess, but my gut feeling is that there is no route from the 10.8.0.0/24 subnet, in the provider's routing table. If you want tun0 to be able to pass traffic to this provider, think you need tun0 added to the copy column. > net 2 2 main eth0 200.40.xx.xx > track eth2,eth3 > > > Rules > ACCEPT:info vpn net tcp http,https > > If you fix the policy above then this is not required, or change the policy to reject to make this rule effective. > Tunnels: > #TYPE ZONE GATEWAY GATEWAY > # ZONE > openvpnserver:1194 net 0.0.0.0/0 > > > > > > OPENVPN: Server.conf > push "route 74.53.205.xxx 255.255.255.255" > In tcrules add: 1:P tun0 74.53.205.xxx tcp http,https - - route_rules file come into play here also, did you use the example from the bottom of http://www.shorewall.net/MultiISP.html? That is why a shorewall dump is important, give a great overall view of the network setup you have, without guessing what the whole layout is. If that doesn't work please provide a shorewall dump. Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
