Hello, @ Ahmed : I used your latest rule but still it doesn't work.
This is the iptables LOG output after running shorewall with your rule added : INPUT:DROP:IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.70.85 DST=192.168.70.19 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=14365 DF PROTO=TCP SPT=51191 DPT=1194 WINDOW=8192 RES=0x00 SYN URGP=0 So the iptable is still dropping the VPN client's initial connection request on port 1194. @ Angela : I am using TCP so I added 'tcp' in tunnels but as above mentioned the VPN client can't connect to the openvpn server ( iptables shows same DROP behavior as above mentioned). This is my configuration : interfaces:vpn tun+ policy:loc vpn ACCEPT policy:vpn fw ACCEPT policy:vpn net ACCEPT policy:vpn loc ACCEPT tunnels:openvpnserver:tcp:1194 net 0.0.0.0/0 zones:vpn ipv4 As shorewall also doesn't generate the shorewall.log file, I begin to believe that my Debian Wheezy ARM shorewall version might have some errors ? Regards, Thomas Gesendet: Donnerstag, 26. März 2015 um 23:20 Uhr Von: "Hesham Ahmed" <[email protected]> An: "Shorewall Users" <[email protected]> Betreff: Re: [Shorewall-users] OpenVPN server with Shorewall not working Hi Thomas, The rule I gave didn't work because it seems you're running openvpn on tcp and default macro is for udp openvpn. For tcp you have to add the manual rule: ACCEPT net $FW tcp 1194 On Thu, Mar 26, 2015 at 7:41 PM Thomas Winkler <[email protected]> wrote:Hello Angela, Yes, openvpn server and shorewall run on the same ARM embedded system ( Debian 7.8). Shorewall version : 4.5.5.3 Linux Kernel 3.18 I used your settings but still it doesn't work when I run shorewall. grep vpn * : interfaces:vpn tun0 - policy:vpn all ACCEPT info policy:net vpn ACCEPT info tunnels:openvpnserver:tcp:1194 net 0.0.0.0/0[http://0.0.0.0/0] zones:vpn ipv4 Now I manually modified the iptables for the establishing and keeping the VPN connection with the following commands and then it works as expected : iptables -A INPUT -p tcp --dport 1194 -j ACCEPT iptables -A INPUT -i tun0 -j ACCEPT iptables -A FORWARD -i tun0 -j ACCEPT Regards, Thomas Gesendet: Donnerstag, 26. März 2015 um 19:53 Uhr Von: "Angela Williams" <[email protected]> An: "Shorewall Users" <[email protected]> Betreff: Re: [Shorewall-users] OpenVPN server with Shorewall not working Hi Thomas! On 26/03/2015 18:32, Thomas Winkler wrote: > Hello Angela, > > Yes, openvpn server and shorewall run on the same ARM embedded system ( > Debian 7.8). > > Shorewall version : 4.5.5.3 > Linux Kernel 3.18 > > > I used your settings but still it doesn't work when I run shorewall. > > grep vpn * : > > interfaces:vpn tun0 - > policy:vpn all ACCEPT info > policy:net vpn ACCEPT info > tunnels:openvpnserver:tcp:1194 net 0.0.0.0/0 > zones:vpn ipv4 > Again my config from another site interfaces:ovpn tun+ policy:loc ovpn ACCEPT policy:ovpn fw ACCEPT policy:ovpn net ACCEPT policy:ovpn loc ACCEPT tunnels:openvpnserver:1194 net 0.0.0.0/0 zones:ovpn ipv4 Try with the policies I use and see if it works! I use tun+ because I have the odd site with more than one openvpwn server running! I also have services on the firewalls and local lans the clients need to access. Gesendet: Donnerstag, 26. März 2015 um 15:32 Uhr Von: "Angela Williams" <[email protected][[email protected]]> An: "Shorewall Users" <[email protected][[email protected]]> Betreff: Re: [Shorewall-users] OpenVPN server with Shorewall not working Hi All On 26/03/2015 16:04, Thomas Winkler wrote: > Thanks for the fast reply ! > > I tested both solutions but neither are working : > > > tunnels: > > #TYPE ZONE GATEWAY GATEWAY ZONE > openvpnserver:1194 net 192.168.70.19 > > > > And then Ahmed's solution : deleting the tunnels file and adding the only > rule : > > > rules : > > OpenVPN/ACCEPT net $FW > > > > Still, I cannot connect the vpn client to the OpenVPN server when activating > Shorewall. I will assume that the openvpn server runs on your firewall that runs shorewall! I used grep vpn on one of my customer firewalls with openvpn on the firewall > > > Regards, > > > Thomas > > > > > > Gesendet: Mittwoch, 25. März 2015 um 19:24 Uhr > Von: "Hesham Ahmed" <[email protected][[email protected]]> > An: "Shorewall Users" > <[email protected][[email protected]]> > Betreff: Re: [Shorewall-users] OpenVPN server with Shorewall not working > > I don't use tunnels file anymore since everything it does can be done with rules or other files. I understand you're running the OpenVPN Server on the same machine as Shorewall, in that case add the following to your rules file and then try connecting: > > OpenVPN/ACCEPT net $FW > > Regards, > > Hesham Ahmed > > > > > > Gesendet: Mittwoch, 25. März 2015 um 18:56 Uhr > Von: "matt darfeuille" <[email protected][[email protected]]> > An: "Shorewall Users" > <[email protected][[email protected]]> > Betreff: Re: [Shorewall-users] OpenVPN server with Shorewall not working > > > If shorewall is on the same box as the openvpn server you need at > least to change "openvpnclient" to "openvpnserver". > > Depending on your shorewall version the rules file is more > straightforward! > > -Matt > > > > On Wed, Mar 25, 2015 at 8:09 PM Thomas Winkler <[email protected][[email protected]]> wrote:Hello, > > I really like Shorewall ! Thanks for this piece of software ! > I am using Shorewall on an ARM single computer with two NICs running on Debian 7.8 which runs perfectly. > > I installed the OpenVPN server on that single computer board and trying to get OpenVPN server running together with Shorewall. > Unfortunately, it doesn't work as expected. > > Once Shorewall is disabled, I can connect an OpenVPN client to my OpenVPN server without any problems. However, after turning Shorewall on, the openvpn client fails to connect or keeping its VPN connection with the OpenVPN server. > > > > I tested Shorewall and OpenVPN server on my local LAN. > > The ARM board has the IP address 192.168.70.19 and its Ethernet cable is plugged to eth0. Shorewall and OpenVPN server running on that board with the following Shorewall configuration : grep vpn * interfaces:ovpn tun+ policy:loc ovpn ACCEPT policy:ovpn fw ACCEPT policy:ovpn loc ACCEPT tunnels:openvpnserver:1194 net 0.0.0.0/0[http://0.0.0.0/0] zones:ovpn ipv4 It works for all my customers and comes from the Shorewall docs! Gruss! Ang -- Angela Williams angierfw at gmail dot com Linux/Networking Hacker Blog http://angierfw.wordpress.com[http://angierfw.wordpress.com] Smile! Yahshua Loves You! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/[http://goparallel.sourceforge.net/][http://goparallel.sourceforge.net/%5Bhttp://goparallel.sourceforge.net/%5D] _______________________________________________ Shorewall-users mailing list [email protected][[email protected]] https://lists.sourceforge.net/lists/listinfo/shorewall-users[https://lists.sourceforge.net/lists/listinfo/shorewall-users][https://lists.sourceforge.net/lists/listinfo/shorewall-users%5Bhttps://lists.sourceforge.net/lists/listinfo/shorewall-users%5D] ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/[http://goparallel.sourceforge.net/] _______________________________________________ Shorewall-users mailing list [email protected][[email protected]] https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/_______________________________________________[http://goparallel.sourceforge.net/_______________________________________________] Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users[https://lists.sourceforge.net/lists/listinfo/shorewall-users] ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
