This is similar to FAQ 2, but (I think) subtly different.
Shorewall version 4.4.8.1 on a dedicated firewall that also serves as an
OpenVPN endpoint. Road warriors can establish an OpenVPN connection
without problem.
The Ethernet interfaces on the firewall include:
eth0: standard 'net' zone
eth1: standard 'loc' zone
eth2: standard 'dmz' zone
eth7: 'guest' zone
The guest zone exists only to allow that company's visitors to get Internet
access; there is no access to the loc or dmz zones. However, occasionally
a company employee will connect via the guest lan and attempt to establish
an OpenVPN connection in order to get access to the internal resources
(loc, dmz).
The OpenVPN connection file specifies the OpenVPN server by its public IP.
The guest lan uses an RFC1918 subnet.
Problem: packet goes from user on guest lan to external IP of firewall
successfully, but the return packet source address is the firewall's guest
lan interface address. OpenVPN complains "Incoming packet rejected from
192.168.209.251:1194[2], expected peer address: $PUBLIC_IP:1194"
I would prefer not to use split zone DNS as that entails a replication of
the company's external DNS save for one change, the VPN destination (and,
at the moment, the OpenVPN conf files specify the OpenVPN server by
address anyway).
I've tried combinations of the sort mentioned in FAQ 2, but have not
solved the problem.
Yes, it can be fixed by using OpenVPN 'float', but is there a way of
having Shorewall set the source address as the public IP?
I hope the above is clear, but apologies if it isn't...questions welcome.
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
