Hi, I am helping another person to run shorewall (version 2.0.9) and openvpn on Linksys router''s OpenWRT. The openvpn here acts like a client to open a tunnel with another openvpn server. Thing seems OK and running, but I notice that when rebooting, I cannot access the other subnet on the other end, then I found out that shorewall blocks the traffic. When I rerun shorewall, then thing is OK again. I ran shorewall before openvpn in the booting process. Is that necessary that I must run openvpn first and then shorewall? This openvpn client is using tun0 as tunnel, and all references to it are 1. interfaces # vpn0 tun0 2. policy # loc vpn0 ACCEPT vpn0 loc ACCEPT fw vpn0 ACCEPT vpn0 fw ACCEPT 3. zones # vpn0 VPN0 OpenVPN --- Currently my ''tunnels'' is empty. Thank you for your suggestions. M Lu. ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
M Lu wrote:> I am helping another person to run shorewall (version 2.0.9) and openvpn > on Linksys router''s OpenWRT. The openvpn here acts like a client to open > a tunnel with another openvpn server. > > Thing seems OK and running, but I notice that when rebooting, I cannot > access the other subnet on the other end, then I found out that > shorewall blocks the traffic. When I rerun shorewall, then thing is OK > again. > > I ran shorewall before openvpn in the booting process. Is that necessary > that I must run openvpn first and then shorewall? ><Irrelevant configuration information deleted>> > Currently my ''tunnels'' is empty. >Then you should read the Shorewall OPENVPN documentation and add the appropriate entry to the /etc/shorewall/tunnels file. Then and only then can you start openvpn before you start Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > Then you should read the Shorewall OPENVPN documentation and add the > appropriate entry to the /etc/shorewall/tunnels file. Then and only then > can you start openvpn before you start Shorewall.s/before/after/ -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thank you Tom, I suspected that too. The reason I leave it empty is that I would like to reserve it for another tunnel acting as openvpn-server and use the standard port 1194. However now when I think again, I should use ''lport'' in OpenVPN configuration to specify local port and then use that port in shorewall tunnel. ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Sent: Monday, September 05, 2005 10:58 PM Subject: Re: [Shorewall-users] The order of running shorewall and openvpn> > Currently my ''tunnels'' is empty. >Then you should read the Shorewall OPENVPN documentation and add the appropriate entry to the /etc/shorewall/tunnels file. Then and only then can you start openvpn before you start Shorewall. ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
M Lu wrote:> I suspected that too. The reason I leave it empty is that I would like > to reserve it for another tunnel acting as openvpn-server and use the > standard port 1194. However now when I think again, I should use ''lport'' > in OpenVPN configuration to specify local port and then use that port in > shorewall tunnel. >Er -- you *can* have multiple entries in /etc/shorewall/tunnels.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key