-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I''m running Shorewall 4.4.0/Debian Lenny and I''m trying to
setup OpenVPN
with a mild degree of success so far.
My ultimate end goal is to basically have an extension of my home lan to
my laptop as well as my wife''s when we are away from home, and have all
of my normal network resources available as if I were sitting at home
locally on the lan.
I run a mix of Linux/OSX machines on a single 192.168.1.0/24 subnet with
shorewall, the subnet is on eth1 of my firewall machine respectively, my
DSL modem is on eth0.
- From what I have read today, I need to use OpenVPN in "bridge" mode
which I believe to have accomplished thus far (I can at least get the
tunnel to come up), but I am unable to pull an IP via DHCP to the DHCP
server sitting on the firewall (bound to eth1, same as local lan. I''m
using dhcpd)
I''ve poured through the bridging and OpenVPN docs on the shorewall
site,
but I''ll admit I''m a little lost and could use some direction.
I think I
understand a little bit on what''s left to be done, but not sure what
direction to take next?
In the end, I think I basically want to bridge eth1 to tap0, which I
believe I have already accomplished:
bubastis:/etc/openvpn# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.002127e00061 no eth1
tap0
bubastis:/etc/openvpn# ifconfig br0
br0 Link encap:Ethernet HWaddr 00:21:27:e0:00:61
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::221:27ff:fee0:61/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8031 errors:0 dropped:0 overruns:0 frame:0
TX packets:4782 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:671285 (655.5 KiB) TX bytes:756178 (738.4 KiB)
bubastis:/etc/openvpn# ifconfig tap0
tap0 Link encap:Ethernet HWaddr 00:ff:72:cd:d1:b5
inet6 addr: fe80::2ff:72ff:fecd:d1b5/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:36 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:231 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:8902 (8.6 KiB) TX bytes:750 (750.0 B)
Am I on the right track for accomplishing what I am trying to do? I
think my next step is to add something to the zones and policy files,
but not 100% sure....
Any help appreciated...
Thanks,
Stephen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAktrHEsACgkQ3sJXNEncx7iBFgCfbctJTFQr6ckEGA0McroELlya
j34AnigDAduPziKYomCUX0VoFzOIN/5w
=1vXN
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
Stephen Brown wrote:> > Am I on the right track for accomplishing what I am trying to do?Yes.> I think my next step is to add something to the zones and policy > files, but not 100% sure.... > > Any help appreciated...http://www.shorewall.net/SimpleBridge.html -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks Tom, I did see the link you referenced below and it''s thrown me off just a bit. To clarify, as it stands now I have this in /etc/shorewall/interfaces: loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians (sorry for the wrap, but hopefully you''ll get the idea) So I would just change eth1 to tap0 instead? How will this affect my normal lan routing, if at all? On 2/4/10 2:41 PM, Tom Eastep wrote:> Stephen Brown wrote: > >> >> Am I on the right track for accomplishing what I am trying to do? > > Yes. > >> I think my next step is to add something to the zones and policy >> files, but not 100% sure.... >> >> Any help appreciated... > > http://www.shorewall.net/SimpleBridge.html > > -Tom > > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAktrMmgACgkQ3sJXNEncx7hECQCfZEtuoLKOCejUZoQZYyvQacJV XB8AoNATlEH9ABCtWBkHaSnEeDEFoa7G =XQFb -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Stephen Brown wrote:> Thanks Tom, I did see the link you referenced below and it''s thrown me > off just a bit. > > To clarify, as it stands now I have this in /etc/shorewall/interfaces: > loc eth1 detect > tcpflags,nosmurfs,routefilter,logmartians > > (sorry for the wrap, but hopefully you''ll get the idea) > > So I would just change eth1 to tap0 instead?No -- re-read the article. You must: a) Assign your local IP address to *br0* and you take the IP address off of eth1 (I see that you have already assigned 192.168.1.1 to br0). b) You replace eth1 with br0 in the /etc/shorewall/interfaces record and add the ''routeback'' option. That option allows traffic between tap0 and eth1. c) If you have eth1 in the second column of /etc/shorewall/masq, replace it with your local subnet (which appears to be 192.168.1.0/24).> How will this affect my normal lan routing, if at all?With the changes that I have outlined, your routing will remain the same. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Ok I''m almost there! The tunnel is up, and I changed what you mentioned below, everything is working as intended except I can not get the OpenVPN client to pull an IP via DHCP. Before I check with the folks that wrote the client software I use and/or the OpenVPN folks, is there anything in Shorewall I could have potentially missed? If I''m just doing a simple bridge to tap0 I''m assuming everything should work as if the client were attached locally to the lan? I do see my systems in the Finder''s sidebar, so at least I know Bonjour is working :) Thanks, Stephen On 2/4/10 4:00 PM, Tom Eastep wrote:> Stephen Brown wrote: > >> Thanks Tom, I did see the link you referenced below and it''s thrown me >> off just a bit. >> >> To clarify, as it stands now I have this in /etc/shorewall/interfaces: >> loc eth1 detect >> tcpflags,nosmurfs,routefilter,logmartians >> >> (sorry for the wrap, but hopefully you''ll get the idea) >> >> So I would just change eth1 to tap0 instead? >> > No -- re-read the article. You must: > > a) Assign your local IP address to *br0* and you take the IP address off > of eth1 (I see that you have already assigned 192.168.1.1 to br0). > > b) You replace eth1 with br0 in the /etc/shorewall/interfaces record and > add the ''routeback'' option. That option allows traffic between tap0 and > eth1. > > c) If you have eth1 in the second column of /etc/shorewall/masq, replace > it with your local subnet (which appears to be 192.168.1.0/24). > > >> How will this affect my normal lan routing, if at all? >> > With the changes that I have outlined, your routing will remain the same. > > -Tom > > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
On Thu, 2010-02-04 at 19:47 -0500, Stephen Brown wrote:> Ok I''m almost there! The tunnel is up, and I changed what you mentioned > below, everything is working as intended except I can not get the > OpenVPN client to pull an IP via DHCP. > > Before I check with the folks that wrote the client software I use > and/or the OpenVPN folks, is there anything in Shorewall I could have > potentially missed? If I''m just doing a simple bridge to tap0 I''m > assuming everything should work as if the client were attached locally > to the lan? > > I do see my systems in the Finder''s sidebar, so at least I know Bonjour > is working :)Have you specified the ''dhcp'' option on br0? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Yes, here is what I have in /etc/shorewall/interfaces: loc br0 192.168.1.255 routeback,bridge,dhcp,tcpflags,nosmurfs,routefilter,logmartians Thanks, Stephen On 2/4/10 7:59 PM, Tom Eastep wrote:> On Thu, 2010-02-04 at 19:47 -0500, Stephen Brown wrote: > >> Ok I''m almost there! The tunnel is up, and I changed what you mentioned >> below, everything is working as intended except I can not get the >> OpenVPN client to pull an IP via DHCP. >> >> Before I check with the folks that wrote the client software I use >> and/or the OpenVPN folks, is there anything in Shorewall I could have >> potentially missed? If I''m just doing a simple bridge to tap0 I''m >> assuming everything should work as if the client were attached locally >> to the lan? >> >> I do see my systems in the Finder''s sidebar, so at least I know Bonjour >> is working :) >> > Have you specified the ''dhcp'' option on br0? > > -Tom > > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
On Thu, 2010-02-04 at 20:14 -0500, Stephen Brown wrote:> Yes, here is what I have in /etc/shorewall/interfaces: > > loc br0 192.168.1.255 > routeback,bridge,dhcp,tcpflags,nosmurfs,routefilter,logmartians >Then I can''t help you. I never use DHCP for assigning IP addresses to OpenVPN clients so I don''t know what the failure modes are. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Just an update on this, it''s working. My problem was with the dhcp server, in /etc/default/dhcp3-server I had INTERFACES="eth1", I changed it to INTERFACES="br0" and it is now working as intended. The only thing I am lacking now is sending ALL of my traffic through the VPN, this was one of my original goals, so I''m 90% there. There is an option in the client software to send all traffic through the VPN, but it''s not working. I''ll check with them and see if there''s something I''m missing... Thanks, Stephen On 2/4/10 7:59 PM, Tom Eastep wrote:> On Thu, 2010-02-04 at 19:47 -0500, Stephen Brown wrote: > >> Ok I''m almost there! The tunnel is up, and I changed what you mentioned >> below, everything is working as intended except I can not get the >> OpenVPN client to pull an IP via DHCP. >> >> Before I check with the folks that wrote the client software I use >> and/or the OpenVPN folks, is there anything in Shorewall I could have >> potentially missed? If I''m just doing a simple bridge to tap0 I''m >> assuming everything should work as if the client were attached locally >> to the lan? >> >> I do see my systems in the Finder''s sidebar, so at least I know Bonjour >> is working :) >> > Have you specified the ''dhcp'' option on br0? > > -Tom > > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I checked something by tcpdump and /var/log/message: I used the following tcpdump command to check LOC interface that included 192.168.2.1 IP address ?? our LOC must don''t have this IP address. tcpdump -i eth1 | grep 192.168.2.1 > tcpdump_log.txt and checked /var/log/message found 172.16.0.22 using 192.168.2.1 IP for doing something Please find the attached log files. Thank for help !! --- 2010年2月5日 星期五,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] OpenVPN setup 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月5日,星期五,上午8:59 On Thu, 2010-02-04 at 19:47 -0500, Stephen Brown wrote:> Ok I''m almost there! The tunnel is up, and I changed what you mentioned > below, everything is working as intended except I can not get the > OpenVPN client to pull an IP via DHCP. > > Before I check with the folks that wrote the client software I use > and/or the OpenVPN folks, is there anything in Shorewall I could have > potentially missed? If I''m just doing a simple bridge to tap0 I''m > assuming everything should work as if the client were attached locally > to the lan? > > I do see my systems in the Finder''s sidebar, so at least I know Bonjour > is working :)Have you specified the ''dhcp'' option on br0? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Sorry, wrong post :( --- 2010年2月5日 星期五,Wilson Kwok <leiw324@yahoo.com.hk> 寫道﹕ 寄件人: Wilson Kwok <leiw324@yahoo.com.hk> 主題: Re: [Shorewall-users] OpenVPN setup 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月5日,星期五,下午12:21 I checked something by tcpdump and /var/log/message: I used the following tcpdump command to check LOC interface that included 192.168.2.1 IP address ?? our LOC must don''t have this IP address. tcpdump -i eth1 | grep 192.168.2.1 > tcpdump_log.txt and checked /var/log/message found 172.16.0.22 using 192.168.2.1 IP for doing something Please find the attached log files. Thank for help !! --- 2010年2月5日 星期五,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] OpenVPN setup 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月5日,星期五,上午8:59 On Thu, 2010-02-04 at 19:47 -0500, Stephen Brown wrote:> Ok I''m almost there! The tunnel is up, and I changed what you mentioned > below, everything is working as intended except I can not get the > OpenVPN client to pull an IP via DHCP. > > Before I check with the folks that wrote the client software I use > and/or the OpenVPN folks, is there anything in Shorewall I could have > potentially missed? If I''m just doing a simple bridge to tap0 I''m > assuming everything should work as if the client were attached locally > to the lan? > > I do see my systems in the Finder''s sidebar, so at least I know Bonjour > is working :)Have you specified the ''dhcp'' option on br0? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com