On Wednesday, January 25, 2017 9:18:11 AM MST Thomas Fjellstrom wrote: > On Wednesday, January 25, 2017 10:54:23 AM MST Roberto C. Sánchez wrote: > > On Wed, Jan 25, 2017 at 08:23:07AM -0700, Thomas Fjellstrom wrote: > > > Hi. > > > > > > I'm having a minor problem setting up shorewall to properly route and > > > allow > > > openvpn traffic through my firewall. > > > > > > I'd like the openvpn client to be running on the firewall, and allow > > > local > > > machines to connect to and communicate with the private subnet on the > > > other > > > side of the vpn, but not allow new traffic from the other side into my > > > lan. > > > > > > So far I have traffic that is getting sent out my public connection to > > > the > > > openvpn server, but nothing comes back according to `tcpdump -i extIF > > > host > > > VPNGATEWAY`. Nothing shows up in the logs stating traffic has been > > > blocked. > > > policy is set up to log on the final DROP and REJECT rules. > > > > Hi Thomas, > > > > What you are describing sounds like a three interface setup. There is a > > HOWTO here: > > > > http://shorewall.net/three-interface.htm > > > > You will have local and net zones like in the HOWTO. The main > > difference is that instead of a DMZ zone you will have a VPN zone, which > > it sounds like you want to treat sort of like a net zone (traffic is OK > > to go from your local network to that zone, but not the other way > > around). It should be just a matter of ensuring you have forwarding (I > > assume you do or you would have other problems), the right policy (loc > > -> vpn == OK), and possibly masquerading (depending on the address > > ranges involved). > > I'll take a look at that and report back! Thanks!
I'm basically getting what I had before: lan# ping VPNINTHOST fw# tcpdump -i eth0 host VPNGW 09:46:47.622220 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 09:46:48.646222 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 09:46:50.665662 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 09:46:51.686162 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 09:46:52.710196 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 09:46:54.729324 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 09:46:55.750166 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 09:46:56.774188 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 09:46:56.830549 IP VPNGWIP.openvpn > MYIP.57800: UDP, length 69 and thats it. many packets go out, very few come back. The vpn works fine via an openvpn client connection through NetworkManager on a local lan computer. But so far not having luck setting it up on the firewall. > > Regards, > > > > -Roberto -- Thomas Fjellstrom tho...@fjellstrom.ca ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
