Hi All, I''m having a OpenVPN problem where the source port of the connection is not "5000" as it should be. It seems to use a random source port. What''s happening is that I''ll have a working OpenVPN tunnel, then one of the 2 tunnels change IP address. So I restart Shorewall on the other end and it tries to connect again. What I presume happens is that source port 5000 to dest port 5000 is still taken up by the previous openvpn connection, so netfilter, doing the NAT thing that it does, decides to use a different source port (in this case 10002) and Shorewall blocks it as it only allows connections from/to src & dst port 5000. I''ve emailed the OpenVPN list and got the reply that I anticipated. It''s not a OpenVPN misconfiguration or malfunction. I''m about to modify my Shorewall "firewall" file to allow any source port to dst port 5000 but I just thought I''d check with the list first. TIA. Regards, Gonzalo
On Tue, 26 Aug 2003, Gonzalo Servat wrote:> I''m about to modify my Shorewall "firewall" file to allow any source port > to dst port 5000 but I just thought I''d check with the list first.Please don''t do that. Toss the entry in the tunnels file and replace it with rules in /etc/shorewall/rules. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 25/08/2003 8:13 PM -0700, Tom Eastep wrote:> Please don''t do that. Toss the entry in the tunnels file and replace it > with rules in /etc/shorewall/rules.Ok, I added: /etc/shorewall/rules: ACCEPT $FW net:remote.vpn.fqdn udp 5000 ACCEPT net:remote.vpn.fqdn $FW udp 5000 .. and it seems to work now. :) Thanks, Gonzalo (BTW, good move on setting the reply-to to go to the mailing list..)
On Tue, 26 Aug 2003, Gonzalo Servat wrote:> On 25/08/2003 8:13 PM -0700, Tom Eastep wrote: > > > Please don''t do that. Toss the entry in the tunnels file and replace it > > with rules in /etc/shorewall/rules. > > Ok, I added: > > /etc/shorewall/rules: > > ACCEPT $FW net:remote.vpn.fqdn udp 5000 > ACCEPT net:remote.vpn.fqdn $FW udp 5000 > > .. and it seems to work now. :) >Good -- as I said the other day on the list, Shorewall 2.0 won''t have a tunnels file; it doesn''t add any real value and it just makes the solution to problems like yours less obvious. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net