[Shorewall-users] Hub/Spoke OpenVPN can't communicate from Client A to Client B - FORWARD:REJECT:IN=tun0 OUT=tun0

Chris Morley Tue, 25 Mar 2008 23:31:05 -0700

Hi, I am running OpenVPN where i have one central hub VPN server, and multiple 
spoke VPN clients. I can ping from each client to the server and each client to 
computers on the subnet which the server resides (192.168.2.0/24) so it works 
ok there. I cannot however, ping from one client to another client. I guess the 
packet path would go:
 
clienta ->  vpn -> shorewall/router -> vpn -> clientb
 
When i try to ping a different client on a different subnet i get:
 
C:\Users\Chris>ping 192.168.10.1
Pinging 192.168.10.1 with 32 bytes of data:
Reply from 172.16.1.1: Destination host unreachable.Reply from 172.16.1.1: 
Destination host unreachable.
 
But as mentioned other routes work ok:
 
C:\Users\Chris>ping 172.16.1.1
Pinging 172.16.1.1 with 32 bytes of data:
Reply from 172.16.1.1: bytes=32 time=329ms TTL=64Reply from 172.16.1.1: 
bytes=32 time=328ms TTL=64
 
C:\Users\Chris>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=469ms TTL=64Reply from 192.168.2.1: 
bytes=32 time=329ms TTL=64
 
C:\Users\Chris>ping 192.168.2.10
Pinging 192.168.2.10 with 32 bytes of data:
Reply from 192.168.2.10: bytes=32 time=332ms TTL=127Reply from 192.168.2.10: 
bytes=32 time=335ms TTL=127
 
So as you can see the link is up and shorewall does let through the connections 
to the local server subnet. On checking /var/log/messages i can see shorewall 
has dropped packets destined for 192.168.10.1:
 
Mar 26 04:33:10 router-hq kernel: Shorewall:FORWARD:REJECT:IN=tun0 OUT=tun0 
SRC=172.16.1.6 DST=192.168.10.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=31895 
PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=25270
Mar 26 04:33:11 router-hq kernel: Shorewall:FORWARD:REJECT:IN=tun0 OUT=tun0 
SRC=172.16.1.6 DST=192.168.10.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=31898 
PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=25271
 
For info, here are my config files (same on server and client):
 
router-hq:~# cat 
/etc/shorewall/interfaces################################################################################ZONE
   INTERFACE       BROADCAST       OPTIONSlana    eth0            detect        
  tcpflags,nosmurfslanb    eth1            detect          tcpflags,nosmurfsdmz 
    eth2            detectnet     eth3            detect          
tcpflags,dhcp,routefilter,nosmurfs,logmartiansvpn     tun0#LAST LINE -- ADD 
YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 
router-hq:~# cat 
/etc/shorewall/zones################################################################################ZONE
   TYPE    OPTIONS                 IN                      OUT#                 
                      OPTIONS                 OPTIONSfw      firewallnet     
ipv4lana    ipv4lanb    ipv4dmz     ipv4vpn     ipv4loc:lana,lanb   ipv4#LAST 
LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 
router-hq:~# cat /etc/shorewall/policy# Policies for traffic originating from 
the local LAN (loc)## If you want to force clients to access the Internet via a 
proxy server# in your DMZ, change the following policy to REJECT info.lana      
      net             ACCEPTlanb            net             ACCEPTlana          
  lanb            ACCEPTlanb            lana            ACCEPT
# vpnlana            vpn             ACCEPTlanb            vpn             
ACCEPTvpn             lana            ACCEPTvpn             lanb            
ACCEPTvpn             $FW             ACCEPT
# to ACCEPT.  (If you chose not to do this, you will need to add a rule# for 
each service in the rules file.)#loc            dmz             REJECT          
infolana            $FW             ACCEPTlanb            $FW             
ACCEPT#loc            all             REJECT          info
## Policies for traffic originating from the firewall ($FW)## If you want open 
access to the Internet from your firewall, change the# $FW to net policy to 
ACCEPT and remove the 'info' LOG LEVEL.
$FW             net             ACCEPT$FW             dmz             REJECT    
      info$FW             lana            ACCEPT$FW             lanb            
ACCEPT$FW             vpn             ACCEPT
$FW             all             REJECT          info
## Policies for traffic originating from the De-Militarized Zone (dmz)## If you 
want open access from DMZ to the Internet change the following# policy to 
ACCEPT.  This may be useful if you run a proxy server in# your DMZ.
dmz             net             REJECT          infodmz             $FW         
    REJECT          infodmz             loc             REJECT          infodmz 
            all             REJECT          info
## Policies for traffic originating from the Internet zone (net)#
net             dmz             DROP            infonet             $FW         
    DROP            infonet             loc             DROP            infonet 
            all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
 
Given shorewall is discarding Shorewall:FORWARD:REJECT:IN=tun0 OUT=tun0, even 
adding this line to /etc/shorewall/policy it doesnt work:
 
vpn  vpn  ACCEPT
 
Just for background info on my vpn setup, here is the config on my hub router: 
 
router-hq:~# cat /etc/openvpn/sitelink.conf#Begin server.conf port 1194proto 
udpdev tun ca sitelink/ca.crt
cert sitelink/router-hq.mydomain.com.crtkey sitelink/router-hq.mydomain.com.key 
dh sitelink/dh2048.pem 
server 172.16.1.0 255.255.255.0client-config-dir 
/etc/openvpn/sitelink/client-config 
route 192.168.10.0 255.255.255.0route 192.168.20.0 255.255.255.0route 
192.168.30.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"push "route 192.168.10.0 
255.255.255.0"push "route 192.168.20.0 255.255.255.0"push "route 192.168.30.0 
255.255.255.0"
keepalive 10 120comp-lzopersist-keypersist-tunstatus server-tcp.log
verb 3
management 192.168.2.1 12345 /etc/openvpn/mgmntpass# end
And here is one the clients config, they are almost identical apart from 
different certificates specified for each individual client:
 
router-clia:~# cat /etc/openvpn/hq.conf#Begin client.conf clientdev tun
route-method exeroute-delay 2
remote 100.100.100.100 1194
resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert 
router-clia.mydomain.com.crtkey router-clia.mydomain.com.keyns-cert-type 
servercomp-lzoverb 3
So in summary, how can i route packets which come in over tun0/vpn back out via 
the same interface? In the future, i would like to lock this down further and 
block certain ports to certain vpn client address subnets. I have RTFM but 
couldn't see nor understand how to apply the options to my scenario. Sorry if i 
have missed something, I greatly appreciate the help.
 
Many thanks in advance,
 
Chris
_________________________________________________________________
Win 100’s of Virgin Experience days with BigSnapSearch.com
http://www.bigsnapsearch.com

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Hub/Spoke OpenVPN can't communicate from Client A to Client B - FORWARD:REJECT:IN=tun0 OUT=tun0

Reply via email to