Hello,
I am having intermittent connections using openvpn. Can someone tell me why
I am getting this in the log when I try to connect.
May 19 21:39:26 terminator INPUT REJECT eth1 local 68.157.121.227
xxx.xxx.88.155 UDP 61295 5001
ZONES:
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zone
vpn VPN OpenVPN Zone
INTERFACES:
#ZONE INTERFACE BROADCAST OPTIONS
loc eth0
dmz eth1 - tcpflags,blacklist,routefilter
net eth2 - tcpflags,blacklist,routefilter
vpn tun0
vpn tun1
vpn tun2
vpn tun3
vpn tun4
vpn tun5
vpn tun6
vpn tun7
vpn tun8
vpn tun9
vpn tun10
TUNNELS:
# TYPE ZONE GATEWAY GATEWAY
# ZONE
openvpn:5000 dmz 0.0.0.0/0 gw
openvpn:5001 dmz 0.0.0.0/0 gw
openvpn:5002 dmz 0.0.0.0/0 gw
openvpn:5003 dmz 0.0.0.0/0 gw
openvpn:5004 dmz 0.0.0.0/0 gw
openvpn:5005 dmz 0.0.0.0/0 gw
openvpn:5006 dmz 0.0.0.0/0 gw
openvpn:5007 dmz 0.0.0.0/0 gw
openvpn:5008 dmz 0.0.0.0/0 gw
openvpn:5009 dmz 0.0.0.0/0 gw
openvpn:5010 dmz 0.0.0.0/0 gw
openvpn:5011 dmz 0.0.0.0/0 gw
Additionally, if I connect using openvpn during a shorewall clear I can
still connect after doing a shorewall restart. I can disconnect and connect
at will using openvpn but only if I first connect during a shorewall clear.
It is not till after I reboot that I can no longer connect. Is there some
persistent rule that allows this or is it just one of those things?
TIA
> Hello, > > I am having intermittent connections using openvpn. Can someone tell me > why > I am getting this in the log when I try to connect. > > May 19 21:39:26 terminator INPUT REJECT eth1 local 68.157.121.227 > xxx.xxx.88.155 UDP 61295 5001 > > > > ZONES: > > #ZONE DISPLAY COMMENTS > net Net Internet > loc Local Local networks > dmz DMZ Demilitarized zone > vpn VPN OpenVPN Zone > > INTERFACES: > > #ZONE INTERFACE BROADCAST OPTIONS > loc eth0 > dmz eth1 - tcpflags,blacklist,routefilter > net eth2 - tcpflags,blacklist,routefilter > vpn tun0 > vpn tun1 > vpn tun2 > vpn tun3 > vpn tun4 > vpn tun5 > vpn tun6 > vpn tun7 > vpn tun8 > vpn tun9 > vpn tun10 > > TUNNELS: > > # TYPE ZONE GATEWAY GATEWAY > # ZONE > openvpn:5000 dmz 0.0.0.0/0 gw > openvpn:5001 dmz 0.0.0.0/0 gw > openvpn:5002 dmz 0.0.0.0/0 gw > openvpn:5003 dmz 0.0.0.0/0 gw > openvpn:5004 dmz 0.0.0.0/0 gw > openvpn:5005 dmz 0.0.0.0/0 gw > openvpn:5006 dmz 0.0.0.0/0 gw > openvpn:5007 dmz 0.0.0.0/0 gw > openvpn:5008 dmz 0.0.0.0/0 gw > openvpn:5009 dmz 0.0.0.0/0 gw > openvpn:5010 dmz 0.0.0.0/0 gw > openvpn:5011 dmz 0.0.0.0/0 gw > > Additionally, if I connect using openvpn during a shorewall clear I can > still connect after doing a shorewall restart. I can disconnect and > connect > at will using openvpn but only if I first connect during a shorewall > clear. > It is not till after I reboot that I can no longer connect. Is there some > persistent rule that allows this or is it just one of those things?Well, that''s the connection tracking which keeps established connections open even if new rules prevented it. I''m afraid there is no real fix for this problem with a Linux firewall. Simon> > TIA > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >
Simon Matter wrote:>>Hello, >> >>I am having intermittent connections using openvpn. Can someone tell me >>why >>I am getting this in the log when I try to connect. >> >> May 19 21:39:26 terminator INPUT REJECT eth1 local 68.157.121.227 >>xxx.xxx.88.155 UDP 61295 5001That is not a Netfilter message. I have no idea what it means. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Simon Matter wrote:>> >>Additionally, if I connect using openvpn during a shorewall clear I can >>still connect after doing a shorewall restart. I can disconnect and >>connect >>at will using openvpn but only if I first connect during a shorewall >>clear. >>It is not till after I reboot that I can no longer connect. Is there some >>persistent rule that allows this or is it just one of those things? >If you wait more than 30 seconds after the previous connection has terminated, you should then be unable to reconnect.> > Well, that''s the connection tracking which keeps established connections > open even if new rules prevented it. I''m afraid there is no real fix for > this problem with a Linux firewall.Indeed. Openvpn has this problem worse than other UDP-based applications because it always uses the same local port number (500). The only solution to this problem under current kernel''s from kernel.org is to create a stateless firewall; that precludes using Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
This is an equivalent message from shorewall.log. May 20 07:13:59 terminator Shorewall:INPUT:REJECT: IN=eth1 OUTMAC=00:40:f4:41:74:f2:00:20:6f:14:92:e4:08:00 SRC=68.157.121.227 DST=xxx.xxx.88.155 LEN=70 TOS=00 PREC=0x00 TTL=115 ID=57653 CE PROTO=UDP SPT=61495 DPT=5001 LEN=50 Thanks, ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Thursday, May 20, 2004 8:56 AM Subject: Re: [Shorewall-users] Configuring Shorewall forOpenVPN> Simon Matter wrote: > >>Hello, > >> > >>I am having intermittent connections using openvpn. Can someone tell me > >>why > >>I am getting this in the log when I try to connect. > >> > >> May 19 21:39:26 terminator INPUT REJECT eth1 local 68.157.121.227 > >>xxx.xxx.88.155 UDP 61295 5001 > > That is not a Netfilter message. I have no idea what it means. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
ALParada wrote:> This is an equivalent message from shorewall.log. > > May 20 07:13:59 terminator Shorewall:INPUT:REJECT: IN=eth1 OUT> MAC=00:40:f4:41:74:f2:00:20:6f:14:92:e4:08:00 SRC=68.157.121.227 > DST=xxx.xxx.88.155 LEN=70 TOS=00 PREC=0x00 TTL=115 ID=57653 CE PROTO=UDP > SPT=61495 DPT=5001 LEN=50The Shorewall-generated rules for OpenVPN assume that the client will use the same source and destination port numbers. The above client isn''t doing that. To accomodate such clients, you can change your tunnels from openvpn:50xx ..... to: generic:udp:50xx -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thanks, I will give it a try. I am using WinXP as a client. What makes my setup different as far as using different ports? Is this common? ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Thursday, May 20, 2004 9:27 AM Subject: Re: [Shorewall-users] Configuring Shorewall forOpenVPN> ALParada wrote: > > This is an equivalent message from shorewall.log. > > > > May 20 07:13:59 terminator Shorewall:INPUT:REJECT: IN=eth1 OUT> > MAC=00:40:f4:41:74:f2:00:20:6f:14:92:e4:08:00 SRC=68.157.121.227 > > DST=xxx.xxx.88.155 LEN=70 TOS=00 PREC=0x00 TTL=115 ID=57653 CE PROTO=UDP > > SPT=61495 DPT=5001 LEN=50 > > The Shorewall-generated rules for OpenVPN assume that the client will > use the same source and destination port numbers. The above client isn''t > doing that. To accomodate such clients, you can change your tunnels from > > openvpn:50xx ..... > > to: > > generic:udp:50xx > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
ALParada wrote:> Thanks, I will give it a try. I am using WinXP as a client. What makes my > setup different as far as using different ports? Is this common?I have no idea -- I''ve never used OpenVPN. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2004-05-20 at 06:01 -0700, Tom Eastep wrote:> > Indeed. Openvpn has this problem worse than other UDP-based applications > because it always uses the same local port number (500). >I''ve started using OpenVPN recently and have found that it doesn''t seem to use 5000/udp (or the remote port if different) for the source port. In all of my cases, It''s been using ephemeral ports for the origination. All of my setups are of the roadwarrior variety, that may have something to do with it. -- David T Hollis <dhollis@davehollis.com>