Hello, you need a rule to allow communication from your firewall to your openvpnserver.
/etc/shorewall/rules # # openvpnclient to any openvpnserver # OpenVPN/ACCEPT $FW net or /etc/shorewall/rules # # openvpnclient to one openvpnserver (e.q. 203.0.113.1) # OpenVPN/ACCEPT $FW net:203.0.113.1 Best regards Joerg On Wednesday 27 July 2011 21:51:50 Das wrote: > Hi Tom, > > Sorry getting lost now, been at this with other Slackware users, so I've > gotten quite spun around with this for the past few weeks. > > Let me ask this over, or another way, if I did before and sorry if I'm > repeating myself. I only use OpenVPN as a client connecting to a VPN > service, so will the 3 files below as you see them work after I've connect > to OpenVPN? Because when I showed this to another Slackware user that seemed > quite experienced with iptables and I showed him the output of > iptables-save, he could not see anything wrong with the 3 files below not > working for me. > > So the 3 files below work for me when I'm connected to OpenVPN, of course > when I need to connect to the VPN, I have to comment the first line in the > Policy and uncomment the second line, so how you see it now, this is after > I've connected and I've restarted shorewall... > > So for me I do not need a host, tunnels or rules to make the connection > work.... > > Stopping and starting for 10 mins. doesn't do anything, everything works > just fine for me the way you see it below, once I'm on the VPN... > > > THANKS > > > > *INTERFACES* > ############################################################################ > ### #ZONE INTERFACE BROADCAST OPTIONS > > net eth0 detect dhcp,tcpflags,logmartians,nosmurfs > net wlan0 detect dhcp,tcpflags,logmartians,nosmurfs > > # OpenVPN Interface > vpn tun0 detect > vpn tap0 detect > > * > POLICY* > ############################################################################ > ### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: > # LEVEL BURST MASK > # > # Block this machine from accessing NET ZONE accept for exceptions in > /etc/shorewall/rules* > $FW net DROP info* > > # Allow NET Zone when not on VPN - (Allow all connection requests from the > firewall to the Internet)* > #$FW net ACCEPT** > * > # Allow this machine to access the VPN ZONE for everything > $FW vpn ACCEPT > > # Block anything from the NET ZONE to all other zones - (Drop (ignore) all > connection requests from the Internet to your firewall) > net all DROP info > > # Block from using another connection > net net NONE > > # > # The FOLLOWING POLICY MUST BE LAST > # > > # Block everything else - (Reject all other connection requests (Shorewall > requires this catchall policy) > all all REJECT info > > > *ZONE* > ############################################################################ > ### #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > #vpn ipsec > vpn ipv4 > > On Wed, Jul 27, 2011 at 1:50 PM, Tom Eastep <[email protected]> wrote: > > On Jul 27, 2011, at 4:18 PM, Tom Eastep wrote: > > > > > > I didn't say Netfilter messed up -- I'm betting on my solution a) > > > > > > And to prove it: > > > > a) Stop OpenVPN > > b) Wait 10 Minutes > > c) Try to start OpenVPN > > > > -Tom > > > > Tom Eastep \ When I die, I want to go like my Grandfather who > > Shoreline, \ died peacefully in his sleep. Not screaming like > > Washington, USA \ all of the passengers in his car > > http://shorewall.net \________________________________________________ > > > > > > > > > > ------------------------------------------------------------------------ > > ------ Got Input? Slashdot Needs You. > > Take our quick survey online. Come on, we don't ask for help often. > > Plus, you'll get a chance to win $100 to spend on ThinkGeek. > > http://p.sf.net/sfu/slashdot-survey > > _______________________________________________ > > Shorewall-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
