Re: [Shorewall-users] Problem With OpenVPN Connectivity

Tom Eastep Thu, 21 Jul 2011 09:25:46 -0700

On Thu, 2011-07-21 at 06:29 -0700, Tom Eastep wrote:
> On Wed, 2011-07-20 at 20:36 -1000, Das wrote:
> 
> > I'm attaching a dump I did which is 'diff -u' with Arch online with
> > the VPN running with the policy line 1 uncommented and line 2
> > commented and working and the same settings for the policy in
> > Slackware but the VPN connection won't go online.
> 
> What failure messages does OpenVPN generate?
> 
> > # OpenVPN Interface
> > vpn     tun0            detect
> > vpn     tap0            detect
> 
> Why both tap and tun devices? Do you have both routed and bridged
> OpenVPN configurations?
>


Here are some more observations:

1) fw->net rules.

 Chain fw2net (2 references)
  pkts bytes target     prot opt in     out     source               
destination         
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0  
         udp dpts:67:68 
-    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         ctstate RELATED,ESTABLISHED 
-    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         
+    1    97 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         ctstate RELATED,ESTABLISHED 
+    4   236 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         
+    4   236 ULOG       all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         ULOG copy_range 0 nlgroup 1 prefix `Shorewall:fw2net:DROP:' 
queue_threshold 1 
+    4   236 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         

In neither configuration do you have an ACCEPT rule allowing outgoing
OpenVPN. Which begs the question as to how the Arch configuration works.

The Shorewall OpenVPN HOWTO clearly shows the need for a tunnels file
entry (preferably openvpnclient, in your case).

2) Logging.

-Log (/var/log/shorewall)
+Log (/var/log/shorewall-init.log)

The fact that there are no differences shown in log entries indicates
that the LOGFILE setting on both configurations is wrong. The Netfilter
log is one of the primary tools you need to use to troubleshoot
connection problems.

3) Routing.

+94.231.84.82 via 192.168.1.1 dev eth0 <==============
+192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.8  metric 202 
+10.235.0.0/16 dev tun0  proto kernel  scope link  src 10.235.0.151 
+127.0.0.0/8 dev lo  scope link 
+0.0.0.0/1 via 10.235.0.1 dev tun0 
+128.0.0.0/1 via 10.235.0.1 dev tun0 
 default via 192.168.1.1 dev eth0  metric 202 
-94.231.84.81 via 192.168.1.1 dev eth0 <===============
-192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.3  metric 202 

Different static routes are defined in the two configurations.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
5 Ways to Improve & Secure Unified Communications
Unified Communications promises greater efficiencies for business. UC can 
improve internal communications as well as offer faster, more efficient ways
to interact with customers and streamline customer service. Learn more!
http://www.accelacomm.com/jaw/sfnl/114/51426253/

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Problem With OpenVPN Connectivity

Reply via email to