Hello List, I tried to set up openvpn with the shorewall on my openwrt box but failed! I am not able to access the "loc"al Network from my vpn. I followed the roadwarrior setup. I define a vpn zone, that should be able to access the firewall and the local network: vpn fw ACCEPT info fw loc ACCEPT info vpn loc ACCEPT info fw vpn ACCEPT info From the windows vpn client I can ping the firewall (the server endpoint of the openvpn) and vice versa. But I can not access the local network! :-( I got the IP_FORWARFING switched on in shorewall.conf. I added the route for the local network to point through the tunnel. Whats wrong, whats missing? [ client ] =====tunnel====== [ firewall (default GW)] -------- [ LAN ] Regards Cornelius
Cornelius Koelbel wrote:> Hello List, > > I tried to set up openvpn with the shorewall on my openwrt box but failed! > > I am not able to access the "loc"al Network from my vpn. > > I followed the roadwarrior setup. I define a vpn zone, that should be > able to access the firewall and the local network: > > vpn fw ACCEPT info > fw loc ACCEPT info > vpn loc ACCEPT info > fw vpn ACCEPT info >That part is fine, but I think you may have an issue with the loc > vpn. If you have a "loc all ACCEPT" policy this should work, but if you have "loc net ACCEPT" your not allowing the loc traffic to the vpn, your missing "loc vpn ACCEPT"> From the windows vpn client I can ping the firewall (the server > endpoint of the openvpn) and vice versa. >What messages are showing up in the log?> But I can not access the local network! :-( > I got the IP_FORWARFING switched on in shorewall.conf. > > I added the route for the local network to point through the tunnel. > Whats wrong, whats missing? > > [ client ] =====tunnel====== [ firewall (default GW)] -------- [ LAN ] > > Regards > CorneliusJerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Saturday 08 April 2006 16:12, Cornelius Koelbel wrote:> Hello List, > > I tried to set up openvpn with the shorewall on my openwrt box but failed! > > I am not able to access the "loc"al Network from my vpn. >Does it work if you turn off Shorewall (shorewall clear)? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello Tom, I clear all the shorewall rules and then of course it worked :-) But: My setup is as follows, my zones: LAN: 172.16.200.0/24 default gw 172.16.200.10 W-LAN: 172.16.100.0/24 default gw 172.16.100.10 VPN: 172.16.1.0/24 On the VPN Client (W-LAN LaptoP) I try to set a route (Win XP Prof) for the 172.16.200.0/24 network via my tun interface: route add 172.16.200.0 mask 255.255.255.0 172.16.1.6 (which is the tun if of the client) I really guess this is a routing issue, since: I made a shorewall clear and all of a sudden I could ping from my wireless client the LAN IPs. But starting a traceroute, I could see, that the packages where leaving via the default gateway 172.16.100.10 and thus not going through the tunnel. Any ideas? Maybe I am totally confused with the routes on this bad windows machine... Thanks in advance and kind regards Cornelius Tom Eastep schrieb:> On Saturday 08 April 2006 16:12, Cornelius Koelbel wrote: >> Hello List, >> >> I tried to set up openvpn with the shorewall on my openwrt box but failed! >> >> I am not able to access the "loc"al Network from my vpn. >> > > Does it work if you turn off Shorewall (shorewall clear)? > > -Tom
On Sunday 09 April 2006 05:14, Cornelius Koelbel wrote:> Hello Tom, > > I clear all the shorewall rules and then of course it worked :-) >They the Shorewall-generated log should be telling you what the problem is. You are either going to have to look at it yourself or you are going to have to send us a complete problem report as described at http://www.shorewall.net/support.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sunday 09 April 2006 06:30, Tom Eastep wrote:> On Sunday 09 April 2006 05:14, Cornelius Koelbel wrote: > > Hello Tom, > > > > I clear all the shorewall rules and then of course it worked :-) > > They the Shorewall-generated log should be telling you what the problem is.Meant to type "Then the Shorewall-..." -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello, finally I got the problem: Everything was fine with shorewall, but the personal firewall was avoiding, that the cliet got the VPN-Tunnel-IP and its routes correctly. :-( It was not configurable within the personal firewall. Had to install anpther one. Kind Regards Cornelius Tom Eastep schrieb:> On Saturday 08 April 2006 16:12, Cornelius Koelbel wrote: >> Hello List, >> >> I tried to set up openvpn with the shorewall on my openwrt box but failed! >> >> I am not able to access the "loc"al Network from my vpn. >> > > Does it work if you turn off Shorewall (shorewall clear)? > > -Tom