thr3ads.net - Shorewall users - [Shorewall-users] OpenVPN and RFC 1918 [Aug 2003]

If this information is useful, please help other people find it:
Share via:

Reginald Richardson

2003-Aug-09 03:01 UTC

[Shorewall-users] OpenVPN and RFC 1918

I installed, Openvpn, just as per the instructions from Tom''s website,
but i''m getting an error message, when trying to ping across the
tunnel, if i shut down shorewall, all is well..

I can identify the problem, understand it, but don''t know where to make
the change.


this is how my connection to the internet is..over DSL 

------------ 
| internet | 
------------ 
| 
|Public Ip 
---------- 
|DSL Mdm | 
---------- 
|10.0.0.138 
| 
|10.0.0.100 
---------- 
| FW-Leaf| 
---------- 
| 
| 
---------- 
|Switch | 
---------- 

My DSL modem makes a PPTP connection to the internet, and i have the firewall
making a normal ethernet connection to the DSL Modem. In order for showarewall
to forward the 10.0.0.0 packets, i made the following change in the rfc1918 file

10.0.0.138 RETURN # Allow MxStream Modem 
10.0.0.100 RETURN # Allow Local Interface 

When i try to ping or make a connection over the tunnel, this is the message
shorewall gives:

Aug 9 10:41:41 gw-homenet Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:60:08:74:39:5d:00:80:9f:24:14:3e:08:00 SRC=10.0.0.100 DST=213.19.144.72
LEN=128 TOS=00 PREC=0x00 TTL=64 ID=56749 DF PROTO=UDP SPT=5000 DPT=5000 LEN=108

What i''m seeing, that in the all2al rule, shorewall is rejecting the
packets, for 10.0.0.100, i realize, that the all2all, ruls, comes from in the
POLICY config...

what i fail to understand, it it allows them thru for normal internet traffic,
but yet with the OPENVPN, it''s rejecting them.

can any one explain me, where to make the adjust to rectify this problem,
wheather in the POLICY file, or the RULES File.


Additional Information: 

Zones Config: 
#ZONE DISPLAY COMMENTS 
net Net Internet 
loc Local Subnet 192.168.10.0 
loc1 Subnet 30.0 Subnet 192.168.30.0 
loc2 Subnet 11.0 Subnet 192.168.11.0 
vpn Remote Subnet Remote VPN 
#dmz DMZ Demilitarized zone 

Interfaces Config: 
#ZONE INTERFACE BROADCAST OPTIONS 
net eth1 detect routefilter,norfc1918,blacklist,tcpflags 
loc eth2 detect 
- eth3 detect 
vpn tun0 

Policy File: 
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST 
loc loc ACCEPT 
loc loc1 ACCEPT 
loc net ACCEPT 

loc1 net ACCEPT 
loc2 net ACCEPT 

loc vpn ACCEPT 
vpn loc ACCEPT 

Tunnel File: 
# TYPE ZONE GATEWAY GATEWAY ZONE PORT 
openvpn net 212.72.45.253 



-----------------------------------------------------------
~~ The Science of Doing it Right ~~
-----------------------------------------------------------

Tom Eastep

2003-Aug-09 08:02 UTC

head link

[Shorewall-users] OpenVPN and RFC 1918

On Sat, 2003-08-09 at 03:01, Reginald Richardson wrote:
> Aug 9 10:41:41 gw-homenet Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:60:08:74:39:5d:00:80:9f:24:14:3e:08:00 SRC=10.0.0.100 DST=213.19.144.72
LEN=128 TOS=00 PREC=0x00 TTL=64 ID=56749 DF PROTO=UDP SPT=5000 DPT=5000 LEN=108

This OpenvVPN packet is addressed to 213.19.144.72
> Tunnel File: 
> # TYPE ZONE GATEWAY GATEWAY ZONE PORT 
> openvpn net 212.72.45.253 
> 
While you have configured the remote gateway as 213.19.144.253.

-Tom

PS -- please configure your mailer to fold lines at 80 columns or less.
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Aug 2003 - OpenVPN and RFC 1918

[Shorewall-users] OpenVPN and RFC 1918

[Shorewall-users] OpenVPN and RFC 1918