Gonzalo Servat
2003-Aug-20 20:48 UTC
[Shorewall-users] Dynamic OpenVPN setup and rules problem
Hi All, I''m writing about 2 problems I''m having with my new OpenVPN setup. Problem 1 ======== Some background info of what I''m trying to setup: [[ 192.168.0.0/24 ]] | |-- Shorewall A --| | / \ << INTERNET >> \ / | |-- Shorewall B --| | [[ 192.168.1.0/24 ]] The OpenVPN connection is being established, but packets are being dropped in the all2all chain. Both firewalls have similar configurations so I''ll just paste one copy of the relevant files: /etc/shorewall/policy: #SOURCE DEST POLICY LOG LEVEL loc net ACCEPT loc fw ACCEPT fw net ACCEPT wlan all ACCEPT all wlan ACCEPT loc vpn ACCEPT vpn loc ACCEPT net all DROP info all all REJECT info /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS - eth0 detect routefilter,dhcp wlan wlan0 detect routefilter,dhcp vpn tun0 /etc/shorewall/hosts: #ZONE HOST(S) OPTIONS net eth0:0.0.0.0/0 loc eth0:192.168.1.0/24 So basically when I try and ping from one end to the other over the VPN, I see the following in the logs: Aug 21 13:26:55 gw kernel: Shorewall:all2all:REJECT:IN=tun0 OUT=eth0 SRC=192.168.0.5 DST=192.168.1.114 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=63526 SEQ=256 Looking at the tun0_fwd chain, I think I can see where the problem is: [root@gw log]# iptables -L tun0_fwd -v -n Chain tun0_fwd (1 references) pkts bytes target prot opt in out source destination 3 252 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 3 252 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 vpn2loc all -- * eth0 0.0.0.0/0 192.168.1.0/24 0 0 all2wlan all -- * wlan0 0.0.0.0/0 0.0.0.0/0 The "all2all" rule is *before* the vpn2loc rule, so it gets blocked. Is there anything obvious from the above that indicates where I misconfigured Shorewall? Why is the all2all rule placed before the vpn2loc rule? Problem 2 ======== While OpenVPN supports dynamic IP configurations, Shorewall only allows you to enter an IP (AFAIK) in /etc/shorewall/tunnels, hence if the IP changes on either side the iptables rules will deny VPN connectivity. Is there a workaround for this? Thanks in advance for any help. Regards, Gonzalo
Tom Eastep
2003-Aug-21 06:39 UTC
[Shorewall-users] Dynamic OpenVPN setup and rules problem
On Wed, 2003-08-20 at 20:48, Gonzalo Servat wrote:> Hi All, > > I''m writing about 2 problems I''m having with my new OpenVPN setup. > > Problem 1 > ========> > Some background info of what I''m trying to setup: > > [[ 192.168.0.0/24 ]] > | > |-- Shorewall A --| > | > / \ > << INTERNET >> > \ / > | > |-- Shorewall B --| > | > [[ 192.168.1.0/24 ]]That''s not really what you have. You have |-- Shorewall A --| | / \ << INTERNET AND Local Zones >> \ / | |-- Shorewall B --| In no way are your Shorewall boxes between the Internet and your local systems (except for routing and NAT). On each end, your local zone is a sub-zone of your Internet zone. Very insecure setup unless there is another firewall between your Shorewall boxes and the Internet.> > So basically when I try and ping from one end to the other over the VPN, I > see the following in the logs: > > Aug 21 13:26:55 gw kernel: Shorewall:all2all:REJECT:IN=tun0 OUT=eth0 > SRC=192.168.0.5 DST=192.168.1.114 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF > PROTO=ICMP TYPE=8 CODE=0 ID=63526 SEQ=256 > > Looking at the tun0_fwd chain, I think I can see where the problem is: > > [root@gw log]# iptables -L tun0_fwd -v -n > Chain tun0_fwd (1 references) > pkts bytes target prot opt in out source > destination > 3 252 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 3 252 all2all all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 > 0 0 vpn2loc all -- * eth0 0.0.0.0/0 > 192.168.1.0/24 > 0 0 all2wlan all -- * wlan0 0.0.0.0/0 > 0.0.0.0/0 > > The "all2all" rule is *before* the vpn2loc rule, so it gets blocked. > > Is there anything obvious from the above that indicates where I > misconfigured Shorewall? Why is the all2all rule placed before the vpn2loc > rule?Once again, since ''loc'' is a sub-zone of ''net'' it should be listed first in /etc/shorewall/zones. See http://shorewall.net/Documentation.htm#Nested.> > Problem 2 > ========> > While OpenVPN supports dynamic IP configurations, Shorewall only allows you > to enter an IP (AFAIK) in /etc/shorewall/tunnels, hence if the IP changes > on either side the iptables rules will deny VPN connectivity. Is there aa) Set the gateway to 0.0.0.0/0 (or some smaller network if you can determine the set if addresses possible for the remote gateway). b) Use a dynamic DNS service and use the FQDN of the gateway in /etc/shorewall/tunnels. You of course must restart Shorewall each time that the IP address of the other gateway changes. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Gonzalo Servat
2003-Aug-21 18:22 UTC
[Shorewall-users] Dynamic OpenVPN setup and rules problem
On 21/08/2003 6:39 AM -0700, Tom Eastep wrote:> That''s not really what you have. You have > > |-- Shorewall A --| > | > / \ > << INTERNET AND Local Zones >> > \ / > | > |-- Shorewall B --| > > In no way are your Shorewall boxes between the Internet and your local > systems (except for routing and NAT). On each end, your local zone is a > sub-zone of your Internet zone.Ah yes, you''re absolutely right. :) It''s actually not *that* insecure, since the ADSL router only NATs packets from one IP address (the Shorewall box) so if you wanted to get out to the net, you would either have to set your IP the same as the Shorewall box and set your default gw as the ADSL router, or you could just fetch an IP from the Shorewall box which will set the clients''s default gw as the Shorewall box. Normally I wouldn''t set it up like this, but I think for their purposes it''s good enough.> Once again, since ''loc'' is a sub-zone of ''net'' it should be listed first > in /etc/shorewall/zones. See > http://shorewall.net/Documentation.htm#Nested.Thanks for that. It was indeed the problem.> a) Set the gateway to 0.0.0.0/0 (or some smaller network if you can > determine the set if addresses possible for the remote gateway). > b) Use a dynamic DNS service and use the FQDN of the gateway in > /etc/shorewall/tunnels. You of course must restart Shorewall each time > that the IP address of the other gateway changes.Other than writing a script and running it from cron, do you know if you can hook up a script to OpenVPN so it does something when an IP changes? Thanks for your help. Regards, Gonzalo
Tom Eastep
2003-Aug-21 18:28 UTC
[Shorewall-users] Dynamic OpenVPN setup and rules problem
On Fri, 22 Aug 2003 11:22:36 +1000, Gonzalo Servat <gonzalo@linuxaus.com> wrote:> >> a) Set the gateway to 0.0.0.0/0 (or some smaller network if you can >> determine the set if addresses possible for the remote gateway). >> b) Use a dynamic DNS service and use the FQDN of the gateway in >> /etc/shorewall/tunnels. You of course must restart Shorewall each time >> that the IP address of the other gateway changes. > > Other than writing a script and running it from cron, do you know if you > can hook up a script to OpenVPN so it does something when an IP changes? >It is the software that manages your internet connection (PPPoE, dhclient, pump, ...) that needs to restart Shorewall when the IP address changes. Look at the documentation for that product; those programs usually include a way to run a script at significant state changes... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Gonzalo Servat
2003-Aug-21 18:54 UTC
[Shorewall-users] Dynamic OpenVPN setup and rules problem
On 21/08/2003 6:28 PM -0700, Tom Eastep wrote:>>> b) Use a dynamic DNS service and use the FQDN of the gateway in >>> /etc/shorewall/tunnels. You of course must restart Shorewall each time >>> that the IP address of the other gateway changes. > > It is the software that manages your internet connection (PPPoE, > dhclient, pump, ...) that needs to restart Shorewall when the IP address > changes. Look at the documentation for that product; those programs > usually include a way to run a script at significant state changes...Ok, here''s the thing. I''m restarting Shorewall everytime the *remote* IP changes, so PPPoE, dhclient, pump, etc are for the local end, not the remote end so what I need is a way to determine that the remote IP changed. One way to do this is through cron. What do you think? I just found a neat little ddclient modification from a guy on Freshmeat that allows you to specify a postscript when the IP changes. Argh! Oh well, it''ll come in handy one day... would it help anyone if I posted it back to the list? Gonzalo
Tom Eastep
2003-Aug-21 18:56 UTC
[Shorewall-users] Dynamic OpenVPN setup and rules problem
On Fri, 22 Aug 2003 11:53:00 +1000, Gonzalo Servat <gonzalo@linuxaus.com> wrote:> Ok, here''s the thing. I''m restarting Shorewall everytime the *remote* IP > changes, so PPPoE, dhclient, pump, etc are for the local end, not the > remote end so what I need is a way to determine that the remote IP > changed. One way to do this is through cron. What do you think? > > I just found a neat little ddclient modification from a guy on Freshmeat > that allows you to specify a postscript when the IP changes. Argh! Oh > well, it''ll come in handy one day... would it help anyone if I posted it > back to the list?Ok -- this is very OT so I''m getting out of the thread. Maybe someone else can help... -Toj -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net