On 11/15/2015 7:59 PM, Tom Eastep wrote: > On 11/15/2015 6:52 PM, Connor Schlesiger wrote: >> Greetings, >> >> I have setup a router which is connected to private network using >> OpenVPN. Everything was working well, but I needed to allow inbound SSH >> connections. OpenVPN sets some rules to forward all traffic over the >> VPN. To prevent this, I setup a provider to my eth0 connection and set >> USE_DEFAULT_RT=No. This seems to have worked. All my devices outbound >> connections are going over the VPN and the inbound connections (SSH) >> responses are returning over eth0. Here are my configs: >> >> /etc/shorewall/interfaces >> #ZONE INTERFACE BROADCAST OPTIONS >> net eth0 detect >> routeback,routefilter,dhcp,tcpflags,logmartians,nosmurfs >> bri br0 detect >> optional,routeback,routefilter,tcpflags,logmartians,nosmurfs >> vpn tun+ detect >> optional,routeback,routefilter,tcpflags,logmartians,nosmurfs >> >> >> /etc/shorewall/masq >> tun+ br0 >> >> >> /etc/shorewall/policy >> #SOURCE DEST POLICY LOG >> # LEVEL >> $FW vpn ACCEPT >> $FW bri ACCEPT >> $FW net ACCEPT >> bri vpn ACCEPT >> net all DROP info >> # The following policy MUST BE LAST >> all all REJECT info >> >> >> /etc/shorewall/providers >> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY >> OPTIONS COPY >> isp 1 1 - eth0 >> 192.168.0.1 track,balance=1 - >> >> >> /etc/shorewall/rules >> #ACTION SOURCE DEST PROTO DEST >> SOURCE ORIGINAL RATE USER/ MARK >> CONNLIMIT TIME >> # PORT PORT(S) DEST >> LIMIT GROUP >> #SECTION ESTABLISHED >> #SECTION RELATED >> ?SECTION NEW >> >> #Permit all ICMP traffic FROM the firewall TO the net zone >> #Only accept ICMP from local networks >> ACCEPT net:192.168.0.0/24,192.168.1.0/24 \ >> $FW icmp 8 - - 1/sec:1 >> ACCEPT bri $FW icmp 8 >> - - 1/sec:1 >> >> SSH(ACCEPT) net,bri $FW - >> - - - s:1/min:3 >> >> DNS(ACCEPT) bri $FW >> >> DHCPfwd(ACCEPT) bri $FW >> >> #Last line >> DROP net all all >> >> >> /etc/shorewall/zones >> #ZONE TYPE OPTIONS IN OUT >> # OPTIONS OPTIONS >> fw firewall >> net ipv4 >> bri ipv4 >> vpn ipv4 >> >> >> /etc/shorewall/shorewall.conf >> #Unchanged except this: >> USE_DEFAULT_RT=No >> >> >> /etc/openvpn/vpn.conf >> client >> dev tun >> proto udp >> remote VPN 1194 >> resolv-retry infinite >> nobind >> persist-key >> persist-tun >> ca /etc/openvpn/ca.crt >> tls-client >> remote-cert-tls server >> auth-user-pass >> comp-lzo >> verb 1 >> reneg-sec 0 >> crl-verify /etc/openvpn/crl.pem >> auth-user-pass /etc/openvpn/cred >> script-security 2 >> up /etc/openvpn/update-resolv-conf >> down /etc/openvpn/update-resolv-conf >> user nobody >> group nogroup >> #route-nopull >> #route 10.0.0.1/24 >> #redirect-gateway >> >> >> This setup is working. The bridge, DHCP, and DNS are working. Outbound >> connections are going over the VPN. Inbound connection responses are >> going back over eth0 and not tun+. I have a couple questions, though: >> >> 1. Why do I need /etc/shorewall/providers for this to work? I'm not >> using /etc/shorewall/mangle. > > Because you have specified 'redirect-gateway' in your openvpn.conf file. > That effectively makes the VPN a provider. Do you really need that? > > >> 2. In the docs it says USE_DEFAULT_RT=No is deprecated. Without turning >> it off, I can't get inbound SSH to work. I tried route-nopull in the >> OpenVPN config, but after setting up route and redirect-gateway, I >> still had the same problem. It seems the VPN provider uses a dynamic >> gateway on each connection. With a dynamic gateway, I am not sure >> how to use /etc/shorewall/tunnels or /etc/shorewall/mangle. What is >> the alternative to USE_DEFAULT_RT=No? > > Probably because you haven't made the vpn a provider. >
I remember now how 'redirect-gateway' works. It adds two /1 routes to the main table. When I see the dump, I will be able to tell you how to configure USE_DEFAULT_RT=Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Presto, an open source distributed SQL query engine for big data, initially developed by Facebook, enables you to easily query your data on Hadoop in a more interactive manner. Teradata is also now providing full enterprise support for Presto. Download a free open source copy now. http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
