I''ve set up a road warrior style VPN using OpenVPN 2 as per the documentation on the shorewall site. I noticed during testing that UDP was not working for me from my office, yet TCP does. I assume the company is filtering UDP somewhere along the line. At any rate I switched to TCP and it''s working. The only issue I have is the tunnels file in shorewall seems to assume UDP (openvpnserver:1194 net 0.0.0.0/0). I had to add a static rule to the rules file to accept tcp on the openvpn port. I checked the iptables rules, and there''s already a rule in place for UDP, I assume from the tunnels entry. According to the documentation in the tunnels file, one can specify the protocol for a "generic" entry, but it doesn''t say so for an openvpn entry (it only mentions port number). So my question, in shortness, is can openvpn tcp be specified in the tunnels file? Should I just specify a generic with a protocol and port and lose the openvpnserver entry entirely? What''s the best practice here? Thanks. ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Cyber Dog wrote:> > So my question, in shortness, is can openvpn tcp be specified in the > tunnels file? Should I just specify a generic with a protocol and > port and lose the openvpnserver entry entirely? What''s the best > practice here? >Hmmm, this is embarrassing. Support for "tcp" in the tunnels file was implemented in Shorewall 2.2.0 but seems as though neither the comments in the file nor the documentation were updated. Furthermore, the support was only partially implemented in the code :-(>From the 2.2.0 release notes:TCP OpenVPN tunnels are now supported using the ''openvpn'' tunnel type. OpenVPN entries in /etc/shorewall/tunnels have this format: openvpn[:{tcp|udp}][:<port>] <zone> <gateway> Examples: openvpn:tcp net 1.2.3.4 # TCP tunnel on port 1194 openvpn:3344 net 1.2.3.4 # UDP on port 3344 openvpn:tcp:4455 net 1.2.3.4 # TCP on port 4455 BUT, turns out that is a partial lie because there is no support for the first form (openvpn:tcp). So the last form must be used even if the port is the default one. The same is true for the "openvpnclient" and "openvpnserver" tunnel types. I''ll fix this in the next 2.4 and 3.0 releases. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key