Hi, I am new to VPN an OpenVPN with shorewal. I tryed a lot and read a bounch of howto''s but nothing helped so I came here. I want to tunnel all request to my server 141.48.XXX.XXX from my home network throu port 443. I want to do this because this is the only way I can connect to my server using ssh or ony other tool or port. On Port 80 Apache is running, so I only have the https port 443 to tunnel over. The university is providing a Windows VPN client to use the ssh and FTP Ports but this client is unavailable for Linux. And there is no way ahead with openSWAN or strongSWAN. So this is my last chance to administrat my Server remote without using the car :-) I read http://www.shorewall.net/OPENVPN.html It''s nearly what I want, except that my system I want to tunnel to is system B. So I dont want System B to forward connections to any other system. And thats my question. How Can I tunnel every request from my home network to my server over port 443 so that I can use SSH and FTP THX a lot for any help. Bjoern My scenario is the following: ___________________ ______________________________________ | my Home Clients | | My Gateway w. Shorewall | | 10.0.123.0/24 |------>| eth1: 10.0.123.1 eth0: 127.129.103.106| |_________________ | |_____________________________________| | | _______________________________ | Gateway of the Student-Network| ------------------------------------------- | | __________ | Internet | -------------- | | _______________________________ | Firewall I dont have access to and| | that ony forwards connections on | |Port 80 and 443 | --------------------------------------------- | | ______________________ | My server | | with a legal Internter IP | | 141.48.XXX.XXX | -------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bjoern Olausson wrote:> I want to tunnel all request to my server 141.48.XXX.XXX from my home > network throu port 443. > I want to do this because this is the only way I can connect to my > server using ssh or ony other tool or port. On Port 80 Apache is > running, so I only have the https port 443 to tunnel over.Unfortunately, you are talking about TCP port 443 and OpenVPN is UDP-based. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBem30O/MAbZfjDLIRAp+5AJ452SgGmxRjxy7FiRw7Sj00eGQ/aACgljFq JYmOCJERFcyqBS+AVPtFYXg=nWfi -----END PGP SIGNATURE-----
Tom and Bjoern, - Actually OpenVPN also supports TCP too and I helped a friend to use that same port, 443. - On shorewall I have the following in ''tunnels'' file tunnels:generic:tcp:443 net 0.0.0.0/0 vpn3 other than that everything is same as for normal UDP. - In the openvpn.conf I have proto tcp-server port 443 again the rest is same as for UDP. ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Bjoern Olausson" <spamsuxx@gmail.com>; "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Saturday, October 23, 2004 10:43 AM Subject: Re: [Shorewall-users] OpenVPN tunnel question> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Bjoern Olausson wrote: > >> I want to tunnel all request to my server 141.48.XXX.XXX from my home >> network throu port 443. >> I want to do this because this is the only way I can connect to my >> server using ssh or ony other tool or port. On Port 80 Apache is >> running, so I only have the https port 443 to tunnel over. > > Unfortunately, you are talking about TCP port 443 and OpenVPN is > UDP-based. > > - -Tom > - --
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 M Lu wrote:> Tom and Bjoern, > > - Actually OpenVPN also supports TCP too and I helped a friend to use > that same port, 443. > - On shorewall I have the following in ''tunnels'' file > tunnels:generic:tcp:443 net 0.0.0.0/0 vpn3 > other than that everything is same as for normal UDP. > > - In the openvpn.conf I have > proto tcp-server > port 443 > again the rest is same as for UDP. >Thanks! I stand corrected. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBenuJO/MAbZfjDLIRAr6hAJ43LBEhIEbFvieEi1Sq+JnDP6kvaACgse1K hdd8B+QAumBvsTLpcfl9wGk=W0jF -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> M Lu wrote: > >>>Tom and Bjoern, >>> >>>- Actually OpenVPN also supports TCP too and I helped a friend to use >>>that same port, 443. >>>- On shorewall I have the following in ''tunnels'' file >>> tunnels:generic:tcp:443 net 0.0.0.0/0 vpn3BTW -- the GATEWAY ZONE column is ignored for all tunnel types except ipsec[nat].>>>other than that everything is same as for normal UDP. >>> >>>- In the openvpn.conf I have >>> proto tcp-server >>> port 443 >>>again the rest is same as for UDP. >>> > > > Thanks! I stand corrected.Just for my own education, how is the performance when using TCP? TCP seems ill-suited for use as an encapsulation protocol. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBeoAgO/MAbZfjDLIRAvXCAKCXlxQKqrNum/hhXW10H3gXAkDUyACeOzMv W81m2Tq9p1P0i9o0iAVuFlQ=80ck -----END PGP SIGNATURE-----
On Sat, 23 Oct 2004 09:00:33 -0700, Tom Eastep <teastep@shorewall.net> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom Eastep wrote: > > M Lu wrote: > > > >>>Tom and Bjoern, > >>> > >>>- Actually OpenVPN also supports TCP too and I helped a friend to use > >>>that same port, 443. > >>>- On shorewall I have the following in ''tunnels'' file > >>> tunnels:generic:tcp:443 net 0.0.0.0/0 vpn3 > > BTW -- the GATEWAY ZONE column is ignored for all tunnel types except > ipsec[nat]. > > >>>other than that everything is same as for normal UDP. > >>> > >>>- In the openvpn.conf I have > >>> proto tcp-server > >>> port 443 > >>>again the rest is same as for UDP. > >>> > > > > > > Thanks! I stand corrected. > > Just for my own education, how is the performance when using TCP? TCP > seems ill-suited for use as an encapsulation protocol. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBeoAgO/MAbZfjDLIRAvXCAKCXlxQKqrNum/hhXW10H3gXAkDUyACeOzMv > W81m2Tq9p1P0i9o0iAVuFlQ> =80ck > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >Mh, okay, but how do I have to configure my systmes correctly? I am abolutely new to VPN an tunneling? What settings do I have to use for The server and my gateway? The tun module I have already compiled, but I am not sure how to configure shorewall and the OpenVPN? How far can I follow the the HowTo I mentioned in my first post? THX a lot for the help Bjoern
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > M Lu wrote: >> Tom and Bjoern, >> >> - Actually OpenVPN also supports TCP too and I helped a friend to use >> that same port, 443. >> - On shorewall I have the following in ''tunnels'' file >> tunnels:generic:tcp:443 net 0.0.0.0/0 >> vpn3 >> other than that everything is same as for normal UDP. >> >> - In the openvpn.conf I have >> proto tcp-server >> port 443 >> again the rest is same as for UDP. >> > > Thanks! I stand corrected.Tom, you were not really wrong. TCP usage is a new feature in OpenVPN, which was not available when the Shorewall OpenVPN docs were done. And then, UDP is still the preferred protocol. Simon
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bjoern Olausson wrote:>> Mh, okay, but how do I have to configure my systmes correctly? I am > abolutely new to VPN an tunneling? What settings do I have to use for > The server and my gateway? The tun module I have already compiled, > but I am not sure how to configure shorewall and the OpenVPN?> How far can I follow the the HowTo I mentioned in my first post?The Shorewall setup is identical except that you want the following policies: fw vpn ACCEPT vpn fw ACCEPT - From my earlier posts in the thread, it''s clear that OpenVPN isn''t a subject that I know much about :-) - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBeqfzO/MAbZfjDLIRAhVAAKChA90XNf2He1HPEAqTujksYzrUlACfZq4U rHhUdADxvYQUQfSwLBYnwoI=pYnw -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> Bjoern Olausson wrote: > > >>>Mh, okay, but how do I have to configure my systmes correctly? I am >>>abolutely new to VPN an tunneling? What settings do I have to use for >>>The server and my gateway? The tun module I have already compiled, >>>but I am not sure how to configure shorewall and the OpenVPN? > > >>>How far can I follow the the HowTo I mentioned in my first post? > > > The Shorewall setup is identical except that you want the following > policies: > > fw vpn ACCEPT > vpn fw ACCEPT >Sorry -- looked at your folded ASCII art again and see that your Shorewall setup will be just as it is in the HOWTO -- you can add the above policies if you need access to the server from your Shorewall box. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBeqxdO/MAbZfjDLIRAkCmAKCJ82N4wmnvr8Km8z31B/+RpVYS2gCggU1j u9zXfSQL2ITt0F0AG0Q0DZE=/vXp -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> Tom Eastep wrote:>>> >>>The Shorewall setup is identical except that you want the following >>>policies: >>> >>>fw vpn ACCEPT >>>vpn fw ACCEPT >>> > > > Sorry -- looked at your folded ASCII art again and see that your > Shorewall setup will be just as it is in the HOWTO -- you can add the > above policies if you need access to the server from your Shorewall box. >And as M Lu points out, your entry in /etc/shorewall/tunnels needs to be changed to a generic TCP tunnel on port 443. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBeq2EO/MAbZfjDLIRAk9YAJwOyyV/8b1BTaTVecCsoEDczYUHJgCgq+Wv IGzShx79HThXAgcI2EYs57M=Gqcb -----END PGP SIGNATURE-----