Does anyone know of some docs or configuration examples for a Shorewall setup similar to the following: 2 interface firewall router using NAT with a bridged openvpn: eth0 = wan br0 = (eth1=lan + tap0=vpn) openvpn server running in bridge mode I have read http://www.shorewall.net/bridge.html and http:// www.shorewall.net/OPENVPN.html but I am having difficulties pinging through. It seems as though my client is not receiving server messages through tunnel. Any info or ideas would be greatly appreciated. Thanks, Brent
check your logs, I have similar setup, if you can share your setup, i''d be glad to help. joshua ----- Original Message ----- From: Brent Schwartz To: shorewall-users@lists.sourceforge.net Sent: Thursday, September 22, 2005 9:40 AM Subject: [Shorewall-users] firewall-router-openvpn-bridge Does anyone know of some docs or configuration examples for a Shorewall setup similar to the following: 2 interface firewall router using NAT with a bridged openvpn: eth0 = wan br0 = (eth1=lan + tap0=vpn) openvpn server running in bridge mode I have read http://www.shorewall.net/bridge.html and http://www.shorewall.net/OPENVPN.html but I am having difficulties pinging through. It seems as though my client is not receiving server messages through tunnel. Any info or ideas would be greatly appreciated. Thanks, Brent
My setup is:
br0 Link encap:Ethernet HWaddr 00:40:63:D8:65:23
inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46865 errors:0 dropped:0 overruns:0 frame:0
TX packets:64375 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4825128 (4.6 Mb) TX bytes:67995891 (64.8 Mb)
eth0 Link encap:Ethernet HWaddr 00:40:63:D8:67:16
inet addr:11.22.33.44 Bcast:255.255.255.255 Mask:
255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2400493 errors:0 dropped:0 overruns:0 frame:0
TX packets:710597 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:258327786 (246.3 Mb) TX bytes:59751450 (56.9 Mb)
Interrupt:11 Base address:0xa000
eth1 Link encap:Ethernet HWaddr 00:40:63:D8:65:23
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:695219 errors:0 dropped:0 overruns:0 frame:0
TX packets:382672 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:58442854 (55.7 Mb) TX bytes:133912362 (127.7 Mb)
Interrupt:12 Base address:0xc000
tap0 Link encap:Ethernet HWaddr 4A:94:50:92:CF:C5
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:5662 overruns:0 carrier:
0 <---notice drops
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
/etc/shorewall/shorewall.conf
BRIDGING=Yes
/etc/shorewall/interfaces
- br0 detect routefilter,dhcp,tcpflags
net eth0 detect routefilter,norfc1918,tcpflags
/etc/shorewall/hosts
vpn br0:tap0
loc br0:eth1
/etc/shorewall/masq
eth0 br0
/etc/shorewall/tunnels
openvpnserver net 55.66.77.88
/etc/shorewall/zones
vpn VPN Virtual Private Network
net Net Internet
loc Local Local Networks
/etc/shorewall/policy
all vpn ACCEPT
vpn all ACCEPT
#
loc net ACCEPT
#loc fw ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
/etc/openvpn/server-bridged.conf
port 1194
proto udp
dev tap
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server-bridge 10.0.1.1 255.255.255.0 10.0.1.200 10.0.1.250
push "route 10.0.1.0 255.255.255.0"
push "dhcp-option DNS 10.0.1.1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 6
/etc/openvpn/client-bridged.conf
client
dev tap
proto udp
remote 11.22.33.44 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key
comp-lzo
verb 6
On Sep 22, 2005, at 12:36 PM, Joshua Mercado wrote:
> check your logs, I have similar setup, if you can share your setup,
> i''d be glad to help.
>
>
> joshua
>
>
>
> ----- Original Message -----
> From: Brent Schwartz
> To: shorewall-users@lists.sourceforge.net
> Sent: Thursday, September 22, 2005 9:40 AM
> Subject: [Shorewall-users] firewall-router-openvpn-bridge
>
> Does anyone know of some docs or configuration examples for a
> Shorewall setup similar to the following:
> 2 interface firewall router using NAT with a bridged openvpn:
> eth0 = wan
> br0 = (eth1=lan + tap0=vpn)
> openvpn server running in bridge mode
>
> I have read http://www.shorewall.net/bridge.html and http://
> www.shorewall.net/OPENVPN.html but I am having difficulties
> pinging through. It seems as though my client is not receiving
> server messages through tunnel. Any info or ideas would be greatly
> appreciated. Thanks, Brent
>
your setup looks right. anything on your logs?
I''m assuming you are not doing site to site. try removing your route
entry on openvpn. Correct me if im wrong, I use tunX instead of tapX if I want
to be able to route. I usually use it for site to site. But for remote users, I
use tap0 to bridge to my network without a route entry on my openvpn.conf file.
port 1194
local X.X.X.X
dev tapX
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 6
hope it helps.
joshua
----- Original Message -----
From: Brent Schwartz
To: shorewall-users@lists.sourceforge.net
Sent: Thursday, September 22, 2005 1:57 PM
Subject: Re: [Shorewall-users] firewall-router-openvpn-bridge
My setup is:
br0 Link encap:Ethernet HWaddr 00:40:63:D8:65:23
inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46865 errors:0 dropped:0 overruns:0 frame:0
TX packets:64375 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4825128 (4.6 Mb) TX bytes:67995891 (64.8 Mb)
eth0 Link encap:Ethernet HWaddr 00:40:63:D8:67:16
inet addr:11.22.33.44 Bcast:255.255.255.255 Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2400493 errors:0 dropped:0 overruns:0 frame:0
TX packets:710597 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:258327786 (246.3 Mb) TX bytes:59751450 (56.9 Mb)
Interrupt:11 Base address:0xa000
eth1 Link encap:Ethernet HWaddr 00:40:63:D8:65:23
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:695219 errors:0 dropped:0 overruns:0 frame:0
TX packets:382672 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:58442854 (55.7 Mb) TX bytes:133912362 (127.7 Mb)
Interrupt:12 Base address:0xc000
tap0 Link encap:Ethernet HWaddr 4A:94:50:92:CF:C5
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:5662 overruns:0 carrier:0
<---notice drops
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
/etc/shorewall/shorewall.conf
BRIDGING=Yes
/etc/shorewall/interfaces
- br0 detect routefilter,dhcp,tcpflags
net eth0 detect routefilter,norfc1918,tcpflags
/etc/shorewall/hosts
vpn br0:tap0
loc br0:eth1
/etc/shorewall/masq
eth0 br0
/etc/shorewall/tunnels
openvpnserver net 55.66.77.88
/etc/shorewall/zones
vpn VPN Virtual Private Network
net Net Internet
loc Local Local Networks
/etc/shorewall/policy
all vpn ACCEPT
vpn all ACCEPT
#
loc net ACCEPT
#loc fw ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
/etc/openvpn/server-bridged.conf
port 1194
proto udp
dev tap
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server-bridge 10.0.1.1 255.255.255.0 10.0.1.200 10.0.1.250
push "route 10.0.1.0 255.255.255.0"
push "dhcp-option DNS 10.0.1.1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 6
/etc/openvpn/client-bridged.conf
client
dev tap
proto udp
remote 11.22.33.44 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key
comp-lzo
verb 6
On Sep 22, 2005, at 12:36 PM, Joshua Mercado wrote:
check your logs, I have similar setup, if you can share your setup,
i''d be glad to help.
joshua
----- Original Message -----
From: Brent Schwartz
To: shorewall-users@lists.sourceforge.net
Sent: Thursday, September 22, 2005 9:40 AM
Subject: [Shorewall-users] firewall-router-openvpn-bridge
Does anyone know of some docs or configuration examples for a Shorewall
setup similar to the following:
2 interface firewall router using NAT with a bridged openvpn:
eth0 = wan
br0 = (eth1=lan + tap0=vpn)
openvpn server running in bridge mode
I have read http://www.shorewall.net/bridge.html and
http://www.shorewall.net/OPENVPN.html but I am having difficulties pinging
through. It seems as though my client is not receiving server messages through
tunnel. Any info or ideas would be greatly appreciated. Thanks, Brent