Setup: Windows -> OpenVPN via tun, Shorewall on OpenVPN system. All works; DHCP from the OpenVPN system uses 10.8.0.0/24, reserving .1 for the server. Need fixed IP for the Windows system so the OpenVPN server.conf file was modified thus: client-config-dir ccd route 10.9.0.0 255.255.255.252 In the ccd/clientname file: ifconfig-push 10.9.0.1 10.9.0.2 This works in as much as the Windows client now gets 10.9.0.1 and the server has 10.9.0.2. However, access (eg pings) fail with: Jan 25 12:59:17 server kernel: Shorewall:FORWARD:REJECT:IN=tun0 OUT=tun0 SRC=10.9.0.1 DST=10.9.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=28055 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=8448 I just can''t quite figure out what I need to do to allow the Windows system access to and from the server LAN (10.0.0.0/24) and, of course, to make pings to the server on 10.9.0.2 work. Thanks for any help - Keith ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Wednesday 25 January 2006 07:00, Keith Edmunds wrote:> > Jan 25 12:59:17 server kernel: Shorewall:FORWARD:REJECT:IN=tun0 OUT=tun0 > SRC=10.9.0.1 DST=10.9.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=28055 > PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=8448 > > I just can''t quite figure out what I need to do to allow the Windows > system access to and from the server LAN (10.0.0.0/24) and, of course, > to make pings to the server on 10.9.0.2 work.Set the ''routeback'' option on tun0 in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Have you added the vpn zone into /etc/shorewall/zones and created a default policy or rules for the vpn zone? Remember, the vpn connection becomes a seperate zone and you will have to allow/disallow communication as you would with the loc or fw or net zones. Regards Ray Keith Edmunds wrote:> Setup: Windows -> OpenVPN via tun, Shorewall on OpenVPN system. > > All works; DHCP from the OpenVPN system uses 10.8.0.0/24, reserving .1 > for the server. > > Need fixed IP for the Windows system so the OpenVPN server.conf file > was modified thus: > > client-config-dir ccd > route 10.9.0.0 255.255.255.252 > > In the ccd/clientname file: > > ifconfig-push 10.9.0.1 10.9.0.2 > > This works in as much as the Windows client now gets 10.9.0.1 and the > server has 10.9.0.2. However, access (eg pings) fail with: > > Jan 25 12:59:17 server kernel: Shorewall:FORWARD:REJECT:IN=tun0 > OUT=tun0 SRC=10.9.0.1 DST=10.9.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=28055 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=8448 > > I just can''t quite figure out what I need to do to allow the Windows > system access to and from the server LAN (10.0.0.0/24) and, of course, > to make pings to the server on 10.9.0.2 work. > > Thanks for any help - > Keith > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Tom Eastep wrote:> Set the ''routeback'' option on tun0 in /etc/shorewall/interfaces.Tom, you''re a star. Once I''d done that (and realised I should be pinging 10.8.0.1 on the server) it all worked. Keith ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642