Shorewall users - Jun 2003 - Simple OpenVPN setup, what am I missing?

I am a technician at a local computer repair shop.  We have 2 stores
both with broadband Internet. Public IPs changed for obvious reasons.

Main Store :    10.10.10.x network
                1.2.3.4 public IP

Branch Store :  192.168.1.x network
                5.6.7.8 public IP

I just setup both stores with a Mandrake Linux router, replacing some
Linksys ones that had issues.  It''s just a bigger uglier router unless
I
can get a VPN tunnel from one to the other done.  So heres what I did.




Main Store
----------
/etc/shorewall/zones -> added ''vpn      VPN     Remote
Subnet''
/etc/shorewall/interfaces -> added ''vpn      tun0     
192.168.1.255''
/etc/shorewall/tunnels -> added ''openvpn      net    
5.6.7.8''
/etc/shorewall/policy -> added ''masq vpn ACCEPT'' and
''vpn masq ACCEPT''
/etc/shorewall/policy -> added ''fw vpn ACCEPT'' and
''vpn fw ACCEPT''

openvpn --remote 5.6.7.8 --dev tun --ifconfig 192.168.99.2 192.168.99.1
--verb 9
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.99.1




Branch Store
------------
/etc/shorewall/zones -> added ''vpn      VPN     Remote
Subnet''
/etc/shorewall/interfaces -> added ''vpn      tun0     
10.10.10.255''
/etc/shorewall/tunnels -> added ''openvpn      net    
1.2.3.4''
/etc/shorewall/policy -> added ''masq vpn ACCEPT'' and
''vpn masq ACCEPT''
/etc/shorewall/policy -> added ''fw vpn ACCEPT'' and
''vpn fw ACCEPT''

openvpn --remote 1.2.3.4 --dev tun --ifconfig 192.168.99.2 192.168.99.1
--verb 9
route add -net 10.10.10.0 netmask 255.255.255.0 gw 192.168.99.2

***********************************************************************

This setup kinda works.  Once turned on, the router at the main store
can ping all the stuff in the branch store.  And the router in the
branch store can ping all the stuff in the main store.  The tunnel is
working! YAY :)

But, none of the PCs behind the router can see through the tunnel.  The
router is the only one that can see through it.  Since the tunnel seems
to be working I think my shorewall configuration is to blame, anyone got
an idea to try?

On 15 Jun 2003 19:28:17 -0500, tufkal <tufkal@granola.mine.nu> wrote:
> I am a technician at a local computer repair shop.  We have 2 stores
> both with broadband Internet. Public IPs changed for obvious reasons.
>
> Main Store :    10.10.10.x network
> 1.2.3.4 public IP
>
> Branch Store :  192.168.1.x network
> 5.6.7.8 public IP
>
> I just setup both stores with a Mandrake Linux router, replacing some
> Linksys ones that had issues.  It''s just a bigger uglier router
unless I
> can get a VPN tunnel from one to the other done.  So heres what I did.
>
>
>
>
> Main Store
> ----------
> /etc/shorewall/zones -> added ''vpn      VPN     Remote
Subnet''
> /etc/shorewall/interfaces -> added ''vpn      tun0     
192.168.1.255''
> /etc/shorewall/tunnels -> added ''openvpn      net    
5.6.7.8''
> /etc/shorewall/policy -> added ''masq vpn ACCEPT'' and
''vpn masq ACCEPT''
> /etc/shorewall/policy -> added ''fw vpn ACCEPT'' and
''vpn fw ACCEPT''
>
> openvpn --remote 5.6.7.8 --dev tun --ifconfig 192.168.99.2 192.168.99.1
> --verb 9
> route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.99.1
>
>
>
>
> Branch Store
> ------------
> /etc/shorewall/zones -> added ''vpn      VPN     Remote
Subnet''
> /etc/shorewall/interfaces -> added ''vpn      tun0     
10.10.10.255''
> /etc/shorewall/tunnels -> added ''openvpn      net    
1.2.3.4''
> /etc/shorewall/policy -> added ''masq vpn ACCEPT'' and
''vpn masq ACCEPT''
> /etc/shorewall/policy -> added ''fw vpn ACCEPT'' and
''vpn fw ACCEPT''
>
> openvpn --remote 1.2.3.4 --dev tun --ifconfig 192.168.99.2 192.168.99.1
> --verb 9
> route add -net 10.10.10.0 netmask 255.255.255.0 gw 192.168.99.2
>
> ***********************************************************************
>
> This setup kinda works.  Once turned on, the router at the main store
> can ping all the stuff in the branch store.  And the router in the
> branch store can ping all the stuff in the main store.  The tunnel is
> working! YAY :)
>
> But, none of the PCs behind the router can see through the tunnel.
Computer''s don''t have eyes and can''t see!!!
> The
> router is the only one that can see through it.  Since the tunnel seems
> to be working I think my shorewall configuration is to blame, anyone got
> an idea to try?
>
How is routing configured on the PCs?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Sun, 15 Jun 2003 17:47:28 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:

>>
>
> How is routing configured on the PCs?
>
Also:

a) If Shorewall is blocking the traffic then it is logging it -- have you 
looked at your firewall log?
b) What else have you done to debug this problem? What were the results?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Tom. Sorry to bother you again with this but I don''t want to let
this
ipsec thing die here... I already read the new ipsec configuration with a 
tunnel hub and that is what I want to do.

Ok, my final score is to do a complete tunnel hub between 3 networks, but 
for now, it is ok with only 2. My setup:

Host A: Central gateway
NET: eth0:200.x.x.1
LOC: dummy0:192.168.200.1/16

Host B:
NET: eth1:24.x.x.1
LOC: eth0:192.168.7.0/24

Host C:
NET: eth1:24.x.x.2
LOC: eth0:192.168.9.0/24

Before start dumping my configuration files, I must say that the ipsec is 
working just fine and I can ping from a computer *inside* the host B to 
the ip address at dummy0 for the host A.

HOST A:
params:
LOC_IF=dummy0
NET_IF=eth0
NET_OPTIONS=blacklist,tcpflags,routefilter,norfc1918,dropunclean
VPN_IF=ipsec0

zones:
loc     Local   Local
net     Net     Internet 
vpn1    VPN1    Remote host 1

interfaces:
loc     $LOC_IF
net     $NET_IF -       $NET_OPTIONS
-       $VPN_IF

tunnels:
ipsec   net     24.x.x.1

hosts:
vpn1    ipsec0:192.168.7.0/24

HOST B:


-- EOM

Saludos/Regards,
Jorge Molina.
Buenos Aires - Argentina (GMT-3).

On Sun, 2003-06-15 at 18:20, tufkal wrote:
> heres the route on both PCs, IPs not changed cause I need help and I
> trust ya :)
Several things:

a) In your original post, you described "routers" and "PCs"
and said
that the PC''s were unable to access the tunnel. I asked you for the
routing configuration of the PCs, not of the routers themselves (I
assumed that the routing tables on the routers were Ok since traffic
could pass through the tunnel).
b) Please don''t reply off-list. If you want private consultation about
your firewall problems, buy a commercial firewall. The kind of
information required to troubleshoot these sorts of problems isn''t
secret (heck, I publish my entire configuration on the Web -- see
http://www.shorewall.net/myfiles.htm).
c) I have not personally set up OpenVPN -- by taking this thread
off-list, you are depriving yourself of the help of people that have
experience in this area (It was Simon Matter who wrote the OpenVPN
documentation on the Shorewall site).
> 
> 
> I''m out of ideas.  As far as other things I have tried to debug
it, I
> started with nothing but the documentation from the shorewall site and
> the openvpn site.  Following HOWTOs and tutorials got me setup.  I
> originally had a problem where I couldnt ping through the tunnel from
> the router (I had forgot to add fw vpn ACCEPT, vpn fw ACCEPT) and
> various other things.  Im all out of debugging ideas lol.  And both of
> these routers I remotely log into and besides loading
> /var/log/messages in a console text editor, Im not familiar of a
> better way to check logs.
So you didn''t read http://www.shorewall.net/troubleshoot.htm
(that''s the
"Things to try if it doesn''t work" link on the Shorewall
site)? That
page mentions the "shorewall show log" command and describes how to
interpret the messages. There is also a "shorewall logwatch" command
that shows recent log messages and that "beeps" every time that a net
message is generated.
> 
> Really want to show my boss how killer Linux is for networking, and if
> I can get this going he will be calling a meeting for me to teach the
> rest of our staff basic linux networking skills and possibly using
> Linux on our used PCs that we refurbish.  Any help you can give me
> would be great, I can even give ya a login if you want to login to one
> of the routers and look yourself.
I have a policy of not logging into user''s systems. 

I''ll ask my original question another way -- can the PCs behind the
routers access the internet?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net