I am trying to setup openVPN 2.0 beta11 (sever/client configuration) and shorewall. I managed to get it working with out shorewall in the mix. When I start shorewall this message appears in the logs. Oct 12 13:41:03 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUTMAC=00:04:5a:7f:92:9f:00:b0:c2:89:68:e4:08:00 SRC=69.145.71.133 DST=216.187.138.18 LEN=42 TOS=0x00 PREC=0x00 TTL=46 ID=11 DF PROTO=UDP SPT=33120 DPT=5000 LEN=22 My tunnels file looks like this: # TYPE ZONE GATEWAY GATEWAY # ZONE openvpn:5000 net 0.0.0.0/0 vpn1 In interfaces: ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routefilter,nosmurfs loc eth1 detect dhcp dmz eth2 detect vpn1 tun0 In zones: #ZONE DISPLAY COMMENTS net Net Internet loc Local Local Network dmz DMZ Demilitarized Zone vpn1 VPN VPN1 user I have tried these rules out of desperation as well but they did not work so I took them out. ACCEPT net vpn1 udp 5000 ACCEPT vpn1 net udp 5000 So I am confused as to what is happening shouldn''t the tunnel definition open up the correct port? Can anybody offer any guidance with this? Also is anybody using the redirect-gateway option in openVPN and got it working with shorewall? What do the config files look like for that? Thanks, _ /-\ ndrew
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew Niemantsverdriet wrote:> > Oct 12 13:41:03 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT> MAC=00:04:5a:7f:92:9f:00:b0:c2:89:68:e4:08:00 SRC=69.145.71.133 > DST=216.187.138.18 LEN=42 TOS=0x00 PREC=0x00 TTL=46 ID=11 DF PROTO=UDP > SPT=33120 DPT=5000 LEN=22 > > My tunnels file looks like this: > # TYPE ZONE GATEWAY GATEWAY > # ZONE > openvpn:5000 net 0.0.0.0/0 vpn1> > So I am confused as to what is happening shouldn''t the tunnel definition > open up the correct port?For the 12,971 time -- Shorewall''s ''openvpn'' tunnel type assumes that the SOURCE PORT IS 5000 -- from the above message, it is clear that the source port in your case is 33120. I guess that it is time for another FAQ.....> Can anybody offer any guidance with this?Replace your tunnels file entry with: generic:udp:5000 net 0.0.0.0/0 - -Tom PS -- Beginning with one of the recent 2.1 versions, ''openvpn'' and ''generic:udp:5000'' have been made synonymous. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBbDt1O/MAbZfjDLIRAjE1AJ4lRfJXRNhCm+VRu9vL1NC2jX4PFQCaA56S g5FGjZujZTyS2qYeOIdoZGI=Kw+S -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> > For the 12,971 time -- Shorewall''s ''openvpn'' tunnel type assumes that > the SOURCE PORT IS 5000 -- from the above message, it is clear that the > source port in your case is 33120. > > I guess that it is time for another FAQ.....See http://shorewall.net/FAQ.htm#faq40 - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBbD27O/MAbZfjDLIRAtEfAJ4oorsxbzcj0vMjdie0AGY1adOrTgCgsV/b Zec8GNaL87fd3NJLaPn1N3M=0N7m -----END PGP SIGNATURE-----
On Tue, 2004-10-12 at 14:15, Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Andrew Niemantsverdriet wrote: > > > > > Oct 12 13:41:03 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT> > MAC=00:04:5a:7f:92:9f:00:b0:c2:89:68:e4:08:00 SRC=69.145.71.133 > > DST=216.187.138.18 LEN=42 TOS=0x00 PREC=0x00 TTL=46 ID=11 DF PROTO=UDP > > SPT=33120 DPT=5000 LEN=22 > > > > My tunnels file looks like this: > > # TYPE ZONE GATEWAY GATEWAY > > # ZONE > > openvpn:5000 net 0.0.0.0/0 vpn1 > > > > > So I am confused as to what is happening shouldn''t the tunnel definition > > open up the correct port? > > For the 12,971 time -- Shorewall''s ''openvpn'' tunnel type assumes that > the SOURCE PORT IS 5000 -- from the above message, it is clear that the > source port in your case is 33120. > > I guess that it is time for another FAQ..... > > > Can anybody offer any guidance with this? > > Replace your tunnels file entry with: > > generic:udp:5000 net 0.0.0.0/0 > > - -Tom > > PS -- Beginning with one of the recent 2.1 versions, ''openvpn'' and > ''generic:udp:5000'' have been made synonymous. >Ok, well that makes sense, also I forgot to mention that the source port changes each time that message appears but it works now. I guess the reason I did not try the generic tunnel was in the openvpn documention on your site I saw Windows mentioned. Then I thought to myself I don''t run windows so skip over that part. Now reading it in hindsight I would have tried it first. Thanks Tom for the speedy reply. -- _ /-\ ndrew