Hi all,
And thank you all for your job.
I would like to have my vpn run but I can''t for the moment.
I follow the guide lines on how to configure a vpn with openvpn, but I
think something is missing in my configuration.
I know that it''s normally the same protocol and the same port (UDP
5000)
what I would like to have :
subnet A (192.168.2.X)
|
|
firewall A shorewall + vtun
| |
192.168.0.1 |
| |
| |
vtun ppp
| |
| |
192.168.0.2 |
| |
firewall B shorewall + vtun
|
|
subnet B (192.168.33.X)
According to your HOWTO, I only have to put :
on firewall A & B:
/etc/shorewall/zones:
vpn VPN remote access
/etc/shorewall/tunnels
openvpn net 0/0
on firewall A
/etc/shorewall//interfaces:
vpn tun+ 192.168.33.255
on firewall B
/etc/shorewall//interfaces:
vpn tun+ 192.168.2.255
on firewall A
/etc/vtund.conf
default {
type tun;
proto udp;
encr yes;
comp lzo:1;
keepalive yes;
}
la {
pass XXXX;
up {
ifconfig "%% 192.168.0.2 pointopoint 192.168.0.33";
route "add -net 192.168.33.0 netmask 255.255.255.0 gw 192.168.0.33";
};
down {
ifconfig "%% delete";
};
}
on firewall B
/etc/vtund.conf
default {
type tun;
proto udp;
encr yes;
comp lzo:1;
keepalive yes;
}
la {
pass XXXX;
up {
ifconfig "%% 192.168.0.33 pointopoint 192.168.0.2";
route "add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.0.2";
};
down {
ifconfig "%% delete";
};
}
Thanks for help, and sorry for this long text.
Bye
jo
The reason that your posts have been going "into the ether" is that your mail server presents itself with a DNS name that doesn''t resolve. Since this is a common spammer trait, mail like that gets rejected here until I notice it and create an exception entry in a table. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 2003-08-03 at 01:27, joel fernandez wrote:> Hi all, > > And thank you all for your job. > I would like to have my vpn run but I can''t for the moment. > I follow the guide lines on how to configure a vpn with openvpn, but I > think something is missing in my configuration. > I know that it''s normally the same protocol and the same port (UDP 5000) > what I would like to have :Openvpn uses UDP port 5000 *as both the source and destination port*. Does vtund? If you try to establish the tunnel, are there "Shorewall" messages logged? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Openvpn uses UDP port 5000 *as both the source and destination port*. Does vtund? No, it doesn''t by default, but it could... You''ll need to open the tcp port as well as the udp, the initial handshake is tcp, then switches over to udp, unless it is a tcp tunnel. If you try to establish the tunnel, are there "Shorewall" messages logged? How about any blurbs about vtund?? Hope this helps... Jerry Vonau
On Tue, 5 Aug 2003, Jerry Vonau wrote:> > How about any blurbs about vtund?? >I am not personally going to set up any more tunnels to test. If people want to send me patches (including an HTML page for the web site), I''ll be happy to integrate them into Shorewall but other than that, the "Generic" tunnel support that I just announced is all that I''m going to do. In retrospect, it was a mistake to implement the /etc/shorewall/tunnels file. Shorewall 2.0 won''t have one... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
How about any blurbs about vtund??> Sorry Tom, that was for Joel..In retrospect, it was a mistake to implement the /etc/shorewall/tunnels file. Shorewall 2.0 won''t have one...> Ok, I won''t miss it anyway... > I did just fine without the tunnels file.... The great docs helped alot. > Thanks for all the effort you put in, you have a great tool. > It just keeps getting better and better.Jerry
On Wed, 2003-08-06 at 08:40, Jerry Vonau wrote: I''ve a minor nit to pick with you Jerry.... When I read your message below it is very unclear as to who said what. It would seem that the "In retroxpect..." portion is from you since it has no leading ">" marks...but we know that it comes from Tom. So, it would be nice if you could fix your email client to ensure that proper nesting is done and we know what you are saying v.s. what others have said. Regards, Ed> How about any blurbs about vtund?? > > > Sorry Tom, that was for Joel.. > > In retrospect, it was a mistake to implement the /etc/shorewall/tunnels > file. Shorewall 2.0 won''t have one... > > > Ok, I won''t miss it anyway... > > I did just fine without the tunnels file.... The great docs helped alot. > > Thanks for all the effort you put in, you have a great tool. > > It just keeps getting better and better. > > Jerry > > > > > > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- http://www.shorewall.net Shorewall, for all your firewall needs
On Wed, 2003-08-06 at 06:20, Ed Greshko wrote:> On Wed, 2003-08-06 at 08:40, Jerry Vonau wrote: > > I''ve a minor nit to pick with you Jerry.... > > When I read your message below it is very unclear as to who said what. > It would seem that the "In retrospect..." portion is from you since it > has no leading ">" marks...but we know that it comes from Tom. So, it > would be nice if you could fix your email client to ensure that proper > nesting is done and we know what you are saying v.s. what others have > said.Interesting. In the post that Ed cites, my copy is very clear as to who said what. In an earlier post from Jerry however, I saw the same thing that Ed is mentioning. Jerry -- are you possibly posting in HTML? If so, it could be the HTML->text translator in GNU Mailman that is causing this problem. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net