[Shorewall-users] Shorewall/OpenVPN issue

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Tom,

I have done the changes as laid out in your mail and with reference to the
webpages you pointed me to as far as I could discern what is applicable to
my setup.

I still have the same problem though. Please if you could point me in
another direction I would appreciate it - I am fairly sure it is a small
issue that I am overlooking.

I have included the dump file, but /var/log/messages contain no info as to
what is going on.

My config now:

Zones:
lan     lan     
ext     internet

Interfaces:
lan     br0     detect  routeback
ext     ppp0    detect  

Policy:
$FW     all     ACCEPT  debug
lan     all     ACCEPT  debug
ext     all     DROP    debug

Rules:
ACCEPT  all     $FW     tcp     22
ACCEPT:debug    all     $FW     udp     1195
ACCEPT  all     $FW     udp     1196

Masq:
ppp0    br0

Tunnels:
openvpnserver:1196      ext     0.0.0.0/0

Any further assistance will be greatly appreciated.

Kind regards
Werner

-----Original Message-----
From: sho...@li...
[mailto:sho...@li...] On Behalf Of Tom Eastep
Sent: 04 May 2006 03:58 PM
To: sho...@li...
Subject: Re: [Shorewall-users] Shorewall/OpenVPN issue

Werner vd Merwe wrote:

> 
> If two clients connect via OpenVPN (bridged), they can access each other
> without any problems, but neither of them can access the server, nor any
> system behind it.
> 
> I am fairly sure it is a Shorewall issue, but I am very new to Shorewall,
> having moved over from Turtlefirewall about a week ago.

May I suggest in the future, when you suspect that Shorewall is blocking
communication *look at your log* (see
http://www.shorewall.net/shorewall_logging.html).

> 
> Here my configs:
> 
> IP Forwarding is enabled.
> 
> Zones:
> lan     lan     
> ext     internet        
> vpn     tun     
> 
> Interfaces:
> lan     br0     detect
> ext     ppp0    detect  norfc1918,routefilter
> vpn     tun0    detect
> vpn     tap0    detect
> 

Please review the article at
http://www.shorewall.net/OPENVPN.html#Bridge. It give instructions for
configuring an OpenVPN bridge in Shorewall.

In particular:

- Bridge ports (such as tap0) are never listed in the interfaces file.
- The bridge (br0) needs the 'routeback' option specified.

The instructions in the above article will simply make bridged clients
part of your 'lan' zone. If you want to make them a separate zone, then
you need to create a bridge/firewall as described at
http://www.shorewall.net/bridge.html.

If you have the need to make another problem report, please include the
information requested at http://www.shorewall.net/support.htm.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.392 / Virus Database: 268.5.3/331 - Release Date: 2006/05/03

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.392 / Virus Database: 268.5.3/331 - Release Date: 2006/05/03

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.392 / Virus Database: 268.5.3/331 - Release Date: 2006/05/03