Shorewall users - Dec 2004 - Shorewall + OpenVpn

Hello,
I have the need to connect 2 remote site with vpn, the windows pc of the 
2 site it can share the HD and printer.

This is my configuration :

LOCAL NETWORK A : ip from  192.168.10.2 to  192.168.10.99
|
|
|
|
eth0: 192.168.10.1

FIREWALL  A :  ( with debian ; openvpn ver. 2.0.beta15 ;
shorewall ver 2.0.11 )

eth1 : xxx.xxx.xxx.xxx ( pubblic ip address )
|
|
|
|

INTERNET

|
|
|
eth1 : yyy.yyy.yyy.yyy ( pubblic ip adress )

FIREWALL B : ( with debian ; openvpn ver. 2.0.beta15 ;
shorewall ver 2.0.11 )

eth0 : 192.168.10.201
|
|
|
|
LOCAL NETWORK B : ip from 192.168.10.202 to 192.168.10.244

On FIREWALL A I have run openvpn in bridge ethernet tunnel,
from firewall B VPN for connect to  firewall A.
The 2 local network is looked at and the Windows  PC can print to other.
After I enable the 2 firewall ( shorewall ) with the configuration that 
I download from the howto http://shorewall.net/two-interface.htm,then i 
change the configuration for eable openvpn with the instructions present 
here  : http://shorewall.net/OPENVPN.html
but now the vpn does not work and in the file log there is for example 
information like this :

Dec  1 15:38:57 dnsprova kernel: Shorewall:all2all:REJECT:IN=br0
OUT=eth1 PHYSIN=eth0 SRC=192.168.10.221 DST=62.123.105.181 LEN=50
TOS=0x00 PREC=0x00 TTL=127 ID=1176 PROTO=UDP SPT=1045 DPT=53 LEN=30

How I can configure shorewall to permit my vpn ?

Configuration on FIREWALL B :

/etc/shorewall/interfaces :
net     eth1            detect          tcpflags,dhcp,routefilter,norfc1918
loc     eth0            detect          tcpflags
vpn     br0

/etc/shorewall/zone :
net     Net             Internet
loc     Local           Local Networks
vpn     Vpn             prova vpn obe

/etc/shorewall/masq :
eth1                    192.168.10.0/24

/etc/shorewall/policy :
loc             net             ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw              net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
# per openvpn oberdan
vpn             all             ACCEPT
all             vpn             ACCEPT

/etc/shorewall/tunnels
openvpn                 net             xxx.xxx.xxx.xxx

===================================================================
SCRIPT to run vpn on  FIREWALL A :

#!/bin/sh

/usr/local/sbin/openvpn --mktun --dev tap0

/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 tap0
/usr/sbin/brctl addif br0 eth0

/sbin/ifconfig tap0 0.0.0.0 promisc up
/sbin/ifconfig eth0 0.0.0.0 promisc up

/sbin/ifconfig br0 192.168.10.1 netmask 255.255.255.0 broadcast
192.168.0.255

/usr/local/sbin/openvpn --tun-mtu 1500 --tun-mtu-extra 64 --dev tap0
--secret /etc/openvpn/static.key --ping 40  --float --comp-lzo --daemon

===================================================================

SCRIPT to run vpn on  FIREWALL B :

#!/bin/sh

/usr/local/sbin/openvpn --mktun --dev tap0

/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 tap0
/usr/sbin/brctl addif br0 eth0

/sbin/ifconfig tap0 0.0.0.0 promisc up
/sbin/ifconfig eth0 0.0.0.0 promisc up

/sbin/ifconfig br0 192.168.10.201 netmask 255.255.255.0 broadcast
192.168.0.255


/usr/local/sbin/openvpn --tun-mtu 1500 --tun-mtu-extra 64 --dev tap0
--ping 40 --float --comp-lzo --secret /etc/openvpn/static.key --remote
xxx.xxx.xxx.xxx --daemon

========================================================================

Hello,
I have the need to connect 2 remote site with vpn, the windows pc of the
2 site it can share the HD and printer.

This is my configuration :

LOCAL NETWORK A : ip from  192.168.10.2 to  192.168.10.99
|
|
|
|
eth0: 192.168.10.1

FIREWALL  A :  ( with debian ; openvpn ver. 2.0.beta15 ;
shorewall ver 2.0.11 )

eth1 : xxx.xxx.xxx.xxx ( pubblic ip address )
|
|
|
|

INTERNET

|
|
|
eth1 : yyy.yyy.yyy.yyy ( pubblic ip adress )

FIREWALL B : ( with debian ; openvpn ver. 2.0.beta15 ;
shorewall ver 2.0.11 )

eth0 : 192.168.10.201
|
|
|
|
LOCAL NETWORK B : ip from 192.168.10.202 to 192.168.10.244

On FIREWALL A I have run openvpn in bridge ethernet tunnel,
from firewall B VPN for connect to  firewall A.
The 2 local network is looked at and the Windows  PC can print to other.
After I enable the 2 firewall ( shorewall ) with the configuration that
I download from the howto http://shorewall.net/two-interface.htm,then i
change the configuration for eable openvpn with the instructions present
here  : http://shorewall.net/OPENVPN.html
but now the vpn does not work and in the file log there is for example
information like this :

Dec  1 15:38:57 dnsprova kernel: Shorewall:all2all:REJECT:IN=br0
OUT=eth1 PHYSIN=eth0 SRC=192.168.10.221 DST=62.123.105.181 LEN=50
TOS=0x00 PREC=0x00 TTL=127 ID=1176 PROTO=UDP SPT=1045 DPT=53 LEN=30

How I can configure shorewall to permit my vpn ?

Configuration on FIREWALL B :

/etc/shorewall/interfaces :
net     eth1            detect          tcpflags,dhcp,routefilter,norfc1918
loc     eth0            detect          tcpflags
vpn     br0

/etc/shorewall/zone :
net     Net             Internet
loc     Local           Local Networks
vpn     Vpn             prova vpn obe

/etc/shorewall/masq :
eth1                    192.168.10.0/24

/etc/shorewall/policy :
loc             net             ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw              net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
# per openvpn oberdan
vpn             all             ACCEPT
all             vpn             ACCEPT

/etc/shorewall/tunnels
openvpn                 net             xxx.xxx.xxx.xxx

===================================================================
SCRIPT to run vpn on  FIREWALL A :

#!/bin/sh

/usr/local/sbin/openvpn --mktun --dev tap0

/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 tap0
/usr/sbin/brctl addif br0 eth0

/sbin/ifconfig tap0 0.0.0.0 promisc up
/sbin/ifconfig eth0 0.0.0.0 promisc up

/sbin/ifconfig br0 192.168.10.1 netmask 255.255.255.0 broadcast
192.168.0.255

/usr/local/sbin/openvpn --tun-mtu 1500 --tun-mtu-extra 64 --dev tap0
--secret /etc/openvpn/static.key --ping 40  --float --comp-lzo --daemon

===================================================================

SCRIPT to run vpn on  FIREWALL B :

#!/bin/sh

/usr/local/sbin/openvpn --mktun --dev tap0

/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 tap0
/usr/sbin/brctl addif br0 eth0

/sbin/ifconfig tap0 0.0.0.0 promisc up
/sbin/ifconfig eth0 0.0.0.0 promisc up

/sbin/ifconfig br0 192.168.10.201 netmask 255.255.255.0 broadcast
192.168.0.255


/usr/local/sbin/openvpn --tun-mtu 1500 --tun-mtu-extra 64 --dev tap0
--ping 40 --float --comp-lzo --secret /etc/openvpn/static.key --remote
xxx.xxx.xxx.xxx --daemon

========================================================================

On Thu, 2004-12-02 at 16:27 +0100, Oberdan Albertoni wrote:
> 
> /etc/shorewall/policy :
> loc             net             ACCEPT
> # If you want open access to the Internet from your Firewall
> # remove the comment from the following line.
> fw              net             ACCEPT
> net             all             DROP            info
> # THE FOLLOWING POLICY MUST BE LAST
What does the comment above say?
> all             all             REJECT          info
> # per openvpn oberdan
Then why did you put these policies down here?
> vpn             all             ACCEPT
> all             vpn             ACCEPT
> 
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>On Thu, 2004-12-02 at 16:27 +0100, Oberdan Albertoni wrote:
>
>  
>
>>/etc/shorewall/policy :
>>loc             net             ACCEPT
>># If you want open access to the Internet from your Firewall
>># remove the comment from the following line.
>>fw              net             ACCEPT
>>net             all             DROP            info
>># THE FOLLOWING POLICY MUST BE LAST
>>    
>>
>
>What does the comment above say?
>
>  
>
>>all             all             REJECT          info
>># per openvpn oberdan
>>    
>>
>
>Then why did you put these policies down here?
>
>  
>
>>vpn             all             ACCEPT
>>all             vpn             ACCEPT
>>
>>    
>>
>
>-Tom
>  
>
Thank you for your reply, I put the line at the end of file now I have :

/etc/shorewall/policy :

# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw              net             ACCEPT
net             all             DROP            info
loc             vpn             ACCEPT
all             vpn             ACCEPT
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
~

but the shorewall not permit the vpn, if I try to resolv the dns from a 
local pc :

Dec  2 18:10:45 dnsprova kernel: Shorewall:FORWARD:REJECT:IN=br0 
OUT=eth1 PHYSIN=eth0 SRC=192.168.10.221 DST=62.123.105.181 LEN=62 
TOS=0x00 PREC=0x00 TTL=127 ID=433 PROTO=UDP SPT=1039 DPT=53 LEN=42

if I ping 1 pc from local network A to local network B :

Dec  2 18:08:25 dnsprova kernel: Shorewall:FORWARD:REJECT:IN=br0 OUT=br0 
PHYSIN=eth0 PHYSOUT=tap0 SRC=192.168.10.221 DST=192.168.10.100 LEN=60 
TOS=0x00 PREC=0x00 TTL=128 ID=429 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=2048

By Obe.

On Thu, 2004-12-02 at 18:23 +0100, Oberdan Albertoni wrote:
> but the shorewall not permit the vpn, if I try to resolv the dns from a 
> local pc :
> 
> Dec  2 18:10:45 dnsprova kernel: Shorewall:FORWARD:REJECT:IN=br0 
> OUT=eth1 PHYSIN=eth0 SRC=192.168.10.221 DST=62.123.105.181 LEN=62 
> TOS=0x00 PREC=0x00 TTL=127 ID=433 PROTO=UDP SPT=1039 DPT=53 LEN=42
> 
> if I ping 1 pc from local network A to local network B :
> 
> Dec  2 18:08:25 dnsprova kernel: Shorewall:FORWARD:REJECT:IN=br0 OUT=br0 
> PHYSIN=eth0 PHYSOUT=tap0 SRC=192.168.10.221 DST=192.168.10.100 LEN=60 
> TOS=0x00 PREC=0x00 TTL=128 ID=429 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=2048
You must specify the ''routeback'' option on your bridge device
in /etc/shorewall/interfaces. See Shorewall FAQ #35.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Thu, 2004-12-02 at 09:35 -0800, Tom Eastep wrote:
> On Thu, 2004-12-02 at 18:23 +0100, Oberdan Albertoni wrote:
> 
> > but the shorewall not permit the vpn, if I try to resolv the dns from
a
> > local pc :
> > 
> > Dec  2 18:10:45 dnsprova kernel: Shorewall:FORWARD:REJECT:IN=br0 
> > OUT=eth1 PHYSIN=eth0 SRC=192.168.10.221 DST=62.123.105.181 LEN=62 
> > TOS=0x00 PREC=0x00 TTL=127 ID=433 PROTO=UDP SPT=1039 DPT=53 LEN=42
> > 
> > if I ping 1 pc from local network A to local network B :
> > 
> > Dec  2 18:08:25 dnsprova kernel: Shorewall:FORWARD:REJECT:IN=br0
OUT=br0
> > PHYSIN=eth0 PHYSOUT=tap0 SRC=192.168.10.221 DST=192.168.10.100 LEN=60 
> > TOS=0x00 PREC=0x00 TTL=128 ID=429 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=2048
> 
> You must specify the ''routeback'' option on your bridge
device
> in /etc/shorewall/interfaces. See Shorewall FAQ #35.
And if you have any more problems, please include the information
requested at http://shorewall.net/support.htm. The first message above
indicates that either the soruce or destination hosts is not in any of
your defined zones; that won''t be fixed by setting
''routeback''.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

>You must specify the ''routeback'' option on your bridge
device
>in /etc/shorewall/interfaces. See Shorewall FAQ #35.
>
>-Tom
>  
>
Thank you, now is all ok.
By Obe.