Hi Thomas,
The rule I gave didn't work because it seems you're running openvpn on tcp
and default macro is for udp openvpn. For tcp you have to add the manual
rule:
ACCEPT net $FW tcp 1194
On Thu, Mar 26, 2015 at 7:41 PM Thomas Winkler <[email protected]>
wrote:
> Hello Angela,
>
> Yes, openvpn server and shorewall run on the same ARM embedded system (
> Debian 7.8).
>
> Shorewall version : 4.5.5.3
> Linux Kernel 3.18
>
>
> I used your settings but still it doesn't work when I run shorewall.
>
> grep vpn * :
>
> interfaces:vpn tun0 -
> policy:vpn all ACCEPT info
> policy:net vpn ACCEPT info
> tunnels:openvpnserver:tcp:1194 net 0.0.0.0/0
> zones:vpn ipv4
>
>
>
> Now I manually modified the iptables for the establishing and keeping the
> VPN connection with the following commands and then it works as expected :
>
>
> iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
>
> iptables -A INPUT -i tun0 -j ACCEPT
> iptables -A FORWARD -i tun0 -j ACCEPT
>
>
> Regards,
>
>
> Thomas
>
>
>
>
>
>
>
> Gesendet: Donnerstag, 26. März 2015 um 15:32 Uhr
> Von: "Angela Williams" <[email protected]>
> An: "Shorewall Users" <[email protected]>
> Betreff: Re: [Shorewall-users] OpenVPN server with Shorewall not working
>
> Hi All
>
> On 26/03/2015 16:04, Thomas Winkler wrote:
> > Thanks for the fast reply !
> >
> > I tested both solutions but neither are working :
> >
> >
> > tunnels:
> >
> > #TYPE ZONE GATEWAY GATEWAY ZONE
> > openvpnserver:1194 net 192.168.70.19
> >
> >
> >
> > And then Ahmed's solution : deleting the tunnels file and adding the
> only rule :
> >
> >
> > rules :
> >
> > OpenVPN/ACCEPT net $FW
> >
> >
> >
> > Still, I cannot connect the vpn client to the OpenVPN server when
> activating Shorewall.
>
>
> I will assume that the openvpn server runs on your firewall that runs
> shorewall!
>
> I used grep vpn on one of my customer firewalls with openvpn on the
> firewall
>
>
> >
> >
> > Regards,
> >
> >
> > Thomas
> >
> >
> >
> >
> >
> > Gesendet: Mittwoch, 25. März 2015 um 19:24 Uhr
> > Von: "Hesham Ahmed" <[email protected]>
> > An: "Shorewall Users" <[email protected]>
> > Betreff: Re: [Shorewall-users] OpenVPN server with Shorewall not working
> >
> > I don't use tunnels file anymore since everything it does can be done
> with rules or other files. I understand you're running the OpenVPN
> Server on the same machine as Shorewall, in that case add the following
> to your rules file and then try connecting:
> >
> > OpenVPN/ACCEPT net $FW
> >
> > Regards,
> >
> > Hesham Ahmed
> >
> >
> >
> >
> >
> > Gesendet: Mittwoch, 25. März 2015 um 18:56 Uhr
> > Von: "matt darfeuille" <[email protected]>
> > An: "Shorewall Users" <[email protected]>
> > Betreff: Re: [Shorewall-users] OpenVPN server with Shorewall not working
> >
> >
> > If shorewall is on the same box as the openvpn server you need at
> > least to change "openvpnclient" to "openvpnserver".
> >
> > Depending on your shorewall version the rules file is more
> > straightforward!
> >
> > -Matt
> >
> >
> >
> > On Wed, Mar 25, 2015 at 8:09 PM Thomas Winkler
> <[email protected]> wrote:Hello,
> >
> > I really like Shorewall ! Thanks for this piece of software !
> > I am using Shorewall on an ARM single computer with two NICs running
> on Debian 7.8 which runs perfectly.
> >
> > I installed the OpenVPN server on that single computer board and
> trying to get OpenVPN server running together with Shorewall.
> > Unfortunately, it doesn't work as expected.
> >
> > Once Shorewall is disabled, I can connect an OpenVPN client to my
> OpenVPN server without any problems. However, after turning Shorewall
> on, the openvpn client fails to connect or keeping its VPN connection
> with the OpenVPN server.
> >
> >
> >
> > I tested Shorewall and OpenVPN server on my local LAN.
> >
> > The ARM board has the IP address 192.168.70.19 and its Ethernet cable
> is plugged to eth0. Shorewall and OpenVPN server running on that board
> with the following Shorewall configuration :
>
> grep vpn *
> interfaces:ovpn tun+
> policy:loc ovpn ACCEPT
> policy:ovpn fw ACCEPT
> policy:ovpn loc ACCEPT
> tunnels:openvpnserver:1194 net 0.0.0.0/0
> zones:ovpn ipv4
>
> It works for all my customers and comes from the Shorewall docs!
>
> Gruss!
>
> Ang
>
>
>
>
>
> --
> Angela Williams
> angierfw at gmail dot com
> Linux/Networking Hacker
> Blog http://angierfw.wordpress.com
>
> Smile! Yahshua Loves You!
>
>
> ------------------------------------------------------------
> ------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/[http://goparallel.
> sourceforge.net/]
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-
> users[https://lists.sourceforge.net/lists/listinfo/shorewall-users]
>
> ------------------------------------------------------------
> ------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
