On 7/9/10 1:03 AM, Markus Plessing wrote: > Hello, > > I'm trying to set up shorewall to allow traffic from a single > host behind the firewall to a remote network both connected > as openvpn clients to an openvpn-server on the internet. > > |---------------| |---------------| > | local | | local | > | vpn client | ----- | shorewall | > | 191.168.0.159 | | 192.168.0.1 | > |---------------| |---------------| > | > |---------------| |---------------| > | remote | | internet | > | vpn client | ----- | vpn server | > | 192.168.6.1 | | | > |---------------| |---------------| > > > This scenario worked out completely without a running firewall > so it seems not to be a routing problem on the server. > > My first approach to get this done was to open the port openvpn > needs to connect to the server and thought, that all traffic > will use this tunnel ... but this didn't work out. Only the > tunnel will be established, but other traffic seems to be blocked. > > ACCEPT loc net tcp 1202 > > I've found several explanations to setup a vpn connection having > the openvpn client or server and the shorewall on the same host, > but no information helping me on this issue. > > Is someone able to direct me to the solution?
If the tunnel is being established fully, then the firewall rules are not the problem; traffic sent through the tunnel is not visible to the firewall; all the firewall is aware of are the TCP 1202 packets and responses. Is the VPN server assigning addresses that are in the 192.168.0.0/24 network? That would account for the results you are seeing (connect the client box directly to the internet and the tunnel would work; put it behind the masquerading firewall and it would not work). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
