Re: [Shorewall-users] Please assist with configuration to transparent tunnel from public access on one server, over a vpn, to service on an internal server

Wed, 30 Sep 2020 12:33:43 -0700 

On 9/30/20 10:52 AM, JadoNena via Shorewall-users wrote:
>> Everything you need should be on that page, below the text I quoted.
> 
> It isn't. None of that answers the question I asked. That's why I am asking. 
> But ok anyway.
> 
> I removed Shorewall and switched to OPNsense.  It took care of it in just a 
> few minutes.

Jan,

Sounds like you've got a solution.

If still interested, it was pretty clear what you're trying to do; it doesn't 
need a 'dump' to explain that.

Looks like you use wireguard on both ends of that VPN.

This should work; it does here, for a very similar setup.

Remove the DNAT rule from Shorewall.

Add to wg1.conf,

        [Interface]
        ...
+       PostUp = iptables -P FORWARD DROP
+       PostUp = iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 1234 
-m conntrack --ctstate NEW -j ACCEPT
+       PostUp = iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate 
ESTABLISHED,RELATED -j ACCEPT
+       PostUp = iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate 
ESTABLISHED,RELATED -j ACCEPT
+       PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1234 -j 
DNAT --to-destination 10.0.2.2
+       PostUp = iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 1234 -d 
10.0.2.2 -j SNAT --to-source 1.2.3.4

and make *sure* that in wg2.conf you've added your external IP,

        [Peer]
+       AllowedIPs   = ... 1.2.3.4

you'll get your traffic through -- from external sites, to the backend service 
you want to expose.

Additional firewall protections, if you need/want any, still need to be managed.

All of this should be do-able in Shorewall; and it certainly would be cleaner 
to have fw config all in one place.

I've tried, and never managed to get it all working; I had the same mysterious 
no-traffic-passed issue.
Couldn't make heads or tails of the docs, which as you've commented, don't 
clearly address this situation; specifically that VPN in the middle of it.


So far, this coexists with my shorewall-lite firewall; at least I haven't yet 
noticed any problems.

If you choose to do it this way with WG, without SW, feel free to ping me 
offlist.




_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to