Hello Tom and all, Quick question: Is it possible to operate an OpenVPN server from behind a firewall? Is it as simple as setting it up and placing: DNAT net loc:192.168.10.20 udp 5000 - ipaddress -- Paul Slinski -o) Network Administrator /\ Global IQX, Inc. _\_v Global IQX is the leader in integrated e-business automation solutions for the group life and health insurance industry. We provide web based solutions for quoting, procurement, distribution and enrollment both on a SEMCI and private labeled basis. The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. If you received this in error, please contact the sender and delete or destroy this message and any copies.
On Wed, 22 Dec 2004, Paul Slinski wrote:> Hello Tom and all, > > Quick question: Is it possible to operate an OpenVPN server from behind > a firewall? >I don''t know. -Tom Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Paul Slinski wrote:> Quick question: Is it possible to operate an OpenVPN server from behind > a firewall? > > Is it as simple as setting it up and placing: > DNAT net loc:192.168.10.20 udp 5000 - ipaddressYes, just forward the port to internal IP where you need it. So DNAT net loc:192.168.10.20 udp 5000 is allready enough. -- Groeten, Peter Maak je geen zorgen over dement worden, je zal het toch niet beseffen. - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 23 days, 19 hours and 41 minutes, 1 user logged in.
On Wed, 22 Dec 2004 20:15:37 +0100 Peter Lindeman <peter@lindeman.nl> wrote:> Yes, just forward the port to internal IP where you need it. > So > > DNAT net loc:192.168.10.20 udp 5000 > > is allready enough.Thank you. Have you done this yourself? -- Paul Slinski -o) Network Administrator /\ Global IQX, Inc. _\_v Global IQX is the leader in integrated e-business automation solutions for the group life and health insurance industry. We provide web based solutions for quoting, procurement, distribution and enrollment both on a SEMCI and private labeled basis. The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. If you received this in error, please contact the sender and delete or destroy this message and any copies.
On Wed, 22 Dec 2004 11:13:54 -0800 (PST) Tom Eastep <teastep@shorewall.net> wrote:> I don''t know.That''s OK Tom. Happy holidays and thank you. -- Paul Slinski -o) Network Administrator /\ Global IQX, Inc. _\_v Global IQX is the leader in integrated e-business automation solutions for the group life and health insurance industry. We provide web based solutions for quoting, procurement, distribution and enrollment both on a SEMCI and private labeled basis. The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. If you received this in error, please contact the sender and delete or destroy this message and any copies.
>Thank you. Have you done this yourself?I''ve been doing this for at least 5 months now with about 30 users. I''m also using ProxyARP. Works well for TCP and UDP connections. We mostly use TCP connections because most of our road warriors at places that are VERY strict about outbound connections. Works exceptionally well, the UDP connections are certainly faster though. /etc/shorewall/proxyarp 12.26.b.c eth2 eth0 no /etc/shorewall/rules DNAT net vpn:192.168.22.230 tcp 443 - 12.26.b.c DNAT net vpn:192.168.22.230 udp 5000 - 12.26.b.c
On Wed, 22 Dec 2004 14:55:40 -0500 "Matt Burleigh" <matt.burleigh@eiisolutions.net> wrote:> I''ve been doing this for at least 5 months now with about 30 users.I''m> also using ProxyARP. Works well for TCP and UDP connections. We mostly > use TCP connections because most of our road warriors at places thatare> VERY strict about outbound connections. Works exceptionally well, the > UDP connections are certainly faster though.Good to hear. I suppose it''s my setup then that''s giving me a headache. I''m trying to connect a Shorewall-filtered firewall to a remote OpenVPN located behind another shorewall-filtered firewall and not having much luck. I don''t think I''ll bother the group with this problem though ;-) -- Paul Slinski -o) Network Administrator /\ Global IQX, Inc. _\_v Global IQX is the leader in integrated e-business automation solutions for the group life and health insurance industry. We provide web based solutions for quoting, procurement, distribution and enrollment both on a SEMCI and private labeled basis. The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. If you received this in error, please contact the sender and delete or destroy this message and any copies.
On Wed, 22 Dec 2004 14:55:40 -0500 "Matt Burleigh" <matt.burleigh@eiisolutions.net> wrote:> /etc/shorewall/proxyarp > 12.26.b.c eth2 eth0 no > > /etc/shorewall/rules > DNAT net vpn:192.168.22.230 tcp 443 - 12.26.b.c > DNAT net vpn:192.168.22.230 udp 5000 - 12.26.b.cDo you mind if I ask what the proxyarp entry is for? and which is your internal/external? -- Paul Slinski -o) Network Administrator /\ Global IQX, Inc. _\_v Global IQX is the leader in integrated e-business automation solutions for the group life and health insurance industry. We provide web based solutions for quoting, procurement, distribution and enrollment both on a SEMCI and private labeled basis. The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. If you received this in error, please contact the sender and delete or destroy this message and any copies.
I''m confused (and yes, that happens a lot, so please forgive me in advance). You say that its possible to put a NATing shorewall box in between two VPN endpoints? Shouldn''t this break the VPN connection? Anything that modifies the packet header information should be considered an integrity violation of the packet and should be dropped. At least that''s how IPSec works. Can someone please enlighten me because right now my brain hurts and baby Jesus is crying. -Gary
Gary wrote on 23/12/2004 12:41:42:> I''m confused (and yes, that happens a lot, so please forgive me in > advance). You say that its possible to put a NATing shorewall box in > between two VPN endpoints? Shouldn''t this break the VPN connection? > Anything that modifies the packet header information should be > considered an integrity violation of the packet and should be dropped. > At least that''s how IPSec works. Can someone please enlighten me > because right now my brain hurts and baby Jesus is crying. >I have a IPSEC box inside my dmz that is natted and connects to a external bureau through a shorewall firewall. IIRC, people on the other side configured their box to connect to on of my external addresses that is dnated by shorewall and routed to the box in dmz. For the dmz box, the connection comes from the external bureau, it accepts it and go. based on this, I don''t see why a dnated openvpn solution should not work... cheers, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
On Thursday 23 December 2004 06:41, Gary Buckmaster wrote:> I''m confused (and yes, that happens a lot, so please forgive me in > advance). You say that its possible to put a NATing shorewall box in > between two VPN endpoints? Shouldn''t this break the VPN connection? > Anything that modifies the packet header information should be > considered an integrity violation of the packet and should be dropped. > At least that''s how IPSec works. Can someone please enlighten me > because right now my brain hurts and baby Jesus is crying.NAT will break IPSEC if AH is turn on. With AH, IPSEC embeds information about the souce address in the encrypted packet so the recipent rejects a packet if the source IP has changed. If AH is turned off IPSEC can be NAT''ed. Since IPSEC also as ESP, AH is only needed for extremely paranoid applications. I has been a while since I looked at the source but I think OpenVPN uses SHA (?) to verifiy the integrity of the encapsuated packet data but doesn''t concern itself with the source. Since OpenVPN is effectively fits in at the datalink layer this make sense. -- Stephen Carville Systems and Network Administrator 310-342-3602 stephen@totalflood.com
On Thu, 23 Dec 2004, Gary Buckmaster wrote:> Anything that modifies the packet header information should be > considered an integrity violation of the packet and should be dropped. > At least that''s how IPSec works.That is the way that the AH protocol works -- you can use IPSec without AH. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
>> /etc/shorewall/proxyarp >> 12.26.b.c eth2 eth0 no >> >> /etc/shorewall/rules >> DNAT net vpn:192.168.22.230 tcp 443 - 12.26.b.c >> DNAT net vpn:192.168.22.230 udp 5000 - 12.26.b.c>Do you mind if I ask what the proxyarp entry is for? and which is your >internal/external?I use ProxyARP to make the VPN server appear to be in front of the firewall. You don''t have to do this but this way I can assign the VPN server its own dedicated IP without having to put it in the DMZ or NET zones. I have a dedicated zone for the VPN servers. The external (net) is eth0 and the internal (vpn) is eth1. The VPN servers have their own dedicated IP on the Internet but they actually are using a private IP which I simply DNAT too. Because I have a full class C space, I can afford to give the VPN server its own dedicated Internet IP.
On Thu, 2004-12-23 at 13:25 -0500, Matt Burleigh wrote:> >> /etc/shorewall/proxyarp > >> 12.26.b.c eth2 eth0 no > >> > >> /etc/shorewall/rules > >> DNAT net vpn:192.168.22.230 tcp 443 - 12.26.b.c > >> DNAT net vpn:192.168.22.230 udp 5000 - 12.26.b.c > > >Do you mind if I ask what the proxyarp entry is for? and which is your > >internal/external? > > I use ProxyARP to make the VPN server appear to be in front of the > firewall.Is it the 12.26.b.c that you are including in your /etc/shorewall/proxyarp file? If so, a more conventional approach would be to define that IP address as a secondary address on your firewall''s external interface (see http://shorewall.net/Shorewall_and_Aliased_Interfaces.html). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 2004-12-22 at 15:09 -0500, Paul Slinski wrote:> On Wed, 22 Dec 2004 14:55:40 -0500 > "Matt Burleigh" <matt.burleigh@eiisolutions.net> wrote: > > > I''ve been doing this for at least 5 months now with about 30 users. > I''m > > also using ProxyARP. Works well for TCP and UDP connections. We mostly > > use TCP connections because most of our road warriors at places that > are > > VERY strict about outbound connections. Works exceptionally well, the > > UDP connections are certainly faster though. > > Good to hear. > > I suppose it''s my setup then that''s giving me a headache. > I''m trying to connect a Shorewall-filtered firewall to a remote OpenVPN > located behind another shorewall-filtered firewall and not having much > luck.Unless you are running a late Shorewall 2.2.0 Beta or RC1, I recommend that you use generic UDP tunnels (/etc/shorewall/tunnels) rather than openvpn on the first firewall; NAT on the other end can remap the source port which will cause the first firewall to reject Open VPN traffic which you use the ''openvpn'' tunnel type. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, 24 Dec 2004 17:18:43 -0800 Tom Eastep <teastep@shorewall.net> wrote:> Unless you are running a late Shorewall 2.2.0 Beta or RC1, I recommend > that you use generic UDP tunnels (/etc/shorewall/tunnels) rather than > openvpn on the first firewall; NAT on the other end can remap thesource> port which will cause the first firewall to reject Open VPN traffic > which you use the ''openvpn'' tunnel type.Thanks Tom. I''ll give that a shot. -- Paul Slinski Network Administrator Global IQX, Inc.- http://www.globaliqx.com/ Global IQX is the leader in integrated e-business automation solutions for the group life and health insurance industry. We provide web based solutions for quoting, procurement, distribution and enrollment both on a SEMCI and private labeled basis.