On 11/15/2015 6:52 PM, Connor Schlesiger wrote: > Greetings, > > I have setup a router which is connected to private network using > OpenVPN. Everything was working well, but I needed to allow inbound SSH > connections. OpenVPN sets some rules to forward all traffic over the > VPN. To prevent this, I setup a provider to my eth0 connection and set > USE_DEFAULT_RT=No. This seems to have worked. All my devices outbound > connections are going over the VPN and the inbound connections (SSH) > responses are returning over eth0. Here are my configs: > > /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect > routeback,routefilter,dhcp,tcpflags,logmartians,nosmurfs > bri br0 detect > optional,routeback,routefilter,tcpflags,logmartians,nosmurfs > vpn tun+ detect > optional,routeback,routefilter,tcpflags,logmartians,nosmurfs > > > /etc/shorewall/masq > tun+ br0 > > > /etc/shorewall/policy > #SOURCE DEST POLICY LOG > # LEVEL > $FW vpn ACCEPT > $FW bri ACCEPT > $FW net ACCEPT > bri vpn ACCEPT > net all DROP info > # The following policy MUST BE LAST > all all REJECT info > > > /etc/shorewall/providers > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > isp 1 1 - eth0 > 192.168.0.1 track,balance=1 - > > > /etc/shorewall/rules > #ACTION SOURCE DEST PROTO DEST > SOURCE ORIGINAL RATE USER/ MARK > CONNLIMIT TIME > # PORT PORT(S) DEST > LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > ?SECTION NEW > > #Permit all ICMP traffic FROM the firewall TO the net zone > #Only accept ICMP from local networks > ACCEPT net:192.168.0.0/24,192.168.1.0/24 \ > $FW icmp 8 - - 1/sec:1 > ACCEPT bri $FW icmp 8 > - - 1/sec:1 > > SSH(ACCEPT) net,bri $FW - > - - - s:1/min:3 > > DNS(ACCEPT) bri $FW > > DHCPfwd(ACCEPT) bri $FW > > #Last line > DROP net all all > > > /etc/shorewall/zones > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > bri ipv4 > vpn ipv4 > > > /etc/shorewall/shorewall.conf > #Unchanged except this: > USE_DEFAULT_RT=No > > > /etc/openvpn/vpn.conf > client > dev tun > proto udp > remote VPN 1194 > resolv-retry infinite > nobind > persist-key > persist-tun > ca /etc/openvpn/ca.crt > tls-client > remote-cert-tls server > auth-user-pass > comp-lzo > verb 1 > reneg-sec 0 > crl-verify /etc/openvpn/crl.pem > auth-user-pass /etc/openvpn/cred > script-security 2 > up /etc/openvpn/update-resolv-conf > down /etc/openvpn/update-resolv-conf > user nobody > group nogroup > #route-nopull > #route 10.0.0.1/24 > #redirect-gateway > > > This setup is working. The bridge, DHCP, and DNS are working. Outbound > connections are going over the VPN. Inbound connection responses are > going back over eth0 and not tun+. I have a couple questions, though: > > 1. Why do I need /etc/shorewall/providers for this to work? I'm not > using /etc/shorewall/mangle.
Because you have specified 'redirect-gateway' in your openvpn.conf file. That effectively makes the VPN a provider. Do you really need that? > 2. In the docs it says USE_DEFAULT_RT=No is deprecated. Without turning > it off, I can't get inbound SSH to work. I tried route-nopull in the > OpenVPN config, but after setting up route and redirect-gateway, I > still had the same problem. It seems the VPN provider uses a dynamic > gateway on each connection. With a dynamic gateway, I am not sure > how to use /etc/shorewall/tunnels or /etc/shorewall/mangle. What is > the alternative to USE_DEFAULT_RT=No? Probably because you haven't made the vpn a provider. > > I've come up with this setup by reading the docs, mailing lists, and > forums. Please let me know if there are any glaring security issues. I > am still learning. :-) > Again, we'll know when we see the dump. But if you don't need 'redirect-gateway', remove that from the OpenVPN and you won't need to use the providers file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Presto, an open source distributed SQL query engine for big data, initially developed by Facebook, enables you to easily query your data on Hadoop in a more interactive manner. Teradata is also now providing full enterprise support for Presto. Download a free open source copy now. http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
