On 7/12/10 3:20 AM, Markus Plessing wrote: > Hi, > > Tom Eastep schrieb: >> On 7/9/10 1:20 PM, Markus Plessing wrote: >>> Hi, >>> >>> Tom Eastep schrieb: >>>> On 7/9/10 1:03 AM, Markus Plessing wrote: >>>>> Hello, >>>>> >>>>> I'm trying to set up shorewall to allow traffic from a single >>>>> host behind the firewall to a remote network both connected >>>>> as openvpn clients to an openvpn-server on the internet. >>>> [...] >>>> >>>> If the tunnel is being established fully, then the firewall rules are >>>> not the problem; traffic sent through the tunnel is not visible to the >>>> firewall; all the firewall is aware of are the TCP 1202 packets and >>>> responses. >>> [...] >> >> Forget the Shorewall configuration; it is not relevant! Once the >> connection is made, the only thing that is relevant is the IP >> configuration and routing. >> >> a) What IP address is being assigned to the client by the VPN server? > > Some extracted output from openvpn > ifconfig_local = '10.8.2.2' > ifconfig_remote_netmask = '10.8.2.1' > route 192.168.6.0/255.255.255.0/nil/nil > /sbin/ifconfig tun0 10.8.2.2 pointopoint 10.8.2.1 mtu 1500 > /sbin/route add -net 192.168.6.0 netmask 255.255.255.0 gw 10.8.2.1 > >> b) What does the routing table on the client look like when the VPN is >> connected? > > routes of host running the vpn-client: > Destination Gateway Genmask Flags Metric Ref Use Iface > 10.8.2.1 * 255.255.255.255 UH 0 0 0 tun0 > 192.168.6.0 10.8.2.1 255.255.255.0 UG 0 0 0 tun0 > 192.168.0.0 * 255.255.255.0 U 1 0 0 eth0 > link-local * 255.255.0.0 U 1000 0 0 eth0 > default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 > >> c) What does the routing table look like at the remote client machine >> (192.168.6.1)? > > routes of openvpn server: > 10.11.2.2 * 255.255.255.255 UH 0 0 0 tun0 > 10.10.2.2 * 255.255.255.255 UH 0 0 0 tun1 > 81.169.183.1 * 255.255.255.255 UH 0 0 0 eth0 > 10.8.2.2 * 255.255.255.255 UH 0 0 0 tun2 > 192.168.6.0 10.10.2.2 255.255.255.0 UG 0 0 0 tun1 > 192.168.1.0 10.11.2.2 255.255.255.0 UG 0 0 0 tun0 > 192.168.0.0 10.8.2.2 255.255.255.0 UG 0 0 0 tun2 > default 81.169.183.1 0.0.0.0 UG 0 0 0 eth0 > > routes of the gateway of the destination network: > 10.10.2.1 * 255.255.255.255 UH 0 0 0 tun0 > 192.168.6.0 * 255.255.255.0 U 0 0 0 br0 > 10.11.2.0 10.10.2.1 255.255.255.0 UG 0 0 0 tun0 > 92.250.155.0 * 255.255.255.0 U 0 0 0 vlan1 > default 1.a2c-250-155.a 0.0.0.0 UG 0 0 0 vlan1
The above gateway has no route to 10.8.2.0/24! So VPN clients assigned an address in that network cannot access 192.168.6.0/24. > > Some sort of horrible configuration, but as said, it worked out from > within the network of the other business location (192.168.1.0) > > The routes of the host with the working connection are: > 10.11.2.1 * 255.255.255.255 UH 0 0 0 tun0 > 192.168.6.0 10.11.2.1 255.255.255.0 UG 0 0 0 tun0 > 10.10.2.0 10.11.2.1 255.255.255.0 UG 0 0 0 tun0 > 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 > default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 Note that this working client was assigned IP address 10.11.2.1 -- there *is* a route to that network from the destination network's router. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
