Good day, I have gone through a couple of the HOWTO''s on how to get this to work, but I am still sitting with a very strange (for me) issue. If two clients connect via OpenVPN (bridged), they can access each other without any problems, but neither of them can access the server, nor any system behind it. I am fairly sure it is a Shorewall issue, but I am very new to Shorewall, having moved over from Turtlefirewall about a week ago. Here my configs: IP Forwarding is enabled. Zones: lan lan ext internet vpn tun Interfaces: lan br0 detect ext ppp0 detect norfc1918,routefilter vpn tun0 detect vpn tap0 detect Policy: $FW all ACCEPT debug lan all ACCEPT debug ext all DROP debug vpn all ACCEPT debug all vpn ACCEPT debug Rules: ACCEPT all $FW tcp 22 ACCEPT:debug all $FW udp 1195 ACCEPT all $FW udp 1196 Tunnels: openvpnserver:1196 ext 0.0.0.0/0 Masq: ppp0 eth1 Any help will be greatly appreciated (either if there is a problem with the configs,or the issue with OpenVPN) Kind regards and thanks in advance Werner -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.3/331 - Release Date: 2006/05/03 ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Werner vd Merwe wrote:> > If two clients connect via OpenVPN (bridged), they can access each other > without any problems, but neither of them can access the server, nor any > system behind it. > > I am fairly sure it is a Shorewall issue, but I am very new to Shorewall, > having moved over from Turtlefirewall about a week ago.May I suggest in the future, when you suspect that Shorewall is blocking communication *look at your log* (see http://www.shorewall.net/shorewall_logging.html).> > Here my configs: > > IP Forwarding is enabled. > > Zones: > lan lan > ext internet > vpn tun > > Interfaces: > lan br0 detect > ext ppp0 detect norfc1918,routefilter > vpn tun0 detect > vpn tap0 detect >Please review the article at http://www.shorewall.net/OPENVPN.html#Bridge. It give instructions for configuring an OpenVPN bridge in Shorewall. In particular: - Bridge ports (such as tap0) are never listed in the interfaces file. - The bridge (br0) needs the ''routeback'' option specified. The instructions in the above article will simply make bridged clients part of your ''lan'' zone. If you want to make them a separate zone, then you need to create a bridge/firewall as described at http://www.shorewall.net/bridge.html. If you have the need to make another problem report, please include the information requested at http://www.shorewall.net/support.htm. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, Thanks for the advice, apologies for doing the post the wrong way - am just a but despondent for trying 2 days without success. I have looked at http://www.shorewall.net/OPENVPN.html#Bridge but obviously missed something. I will try the interface changes - thank you again. Kind regards Werner -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: 04 May 2006 03:58 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall/OpenVPN issue Werner vd Merwe wrote:> > If two clients connect via OpenVPN (bridged), they can access each other > without any problems, but neither of them can access the server, nor any > system behind it. > > I am fairly sure it is a Shorewall issue, but I am very new to Shorewall, > having moved over from Turtlefirewall about a week ago.May I suggest in the future, when you suspect that Shorewall is blocking communication *look at your log* (see http://www.shorewall.net/shorewall_logging.html).> > Here my configs: > > IP Forwarding is enabled. > > Zones: > lan lan > ext internet > vpn tun > > Interfaces: > lan br0 detect > ext ppp0 detect norfc1918,routefilter > vpn tun0 detect > vpn tap0 detect >Please review the article at http://www.shorewall.net/OPENVPN.html#Bridge. It give instructions for configuring an OpenVPN bridge in Shorewall. In particular: - Bridge ports (such as tap0) are never listed in the interfaces file. - The bridge (br0) needs the ''routeback'' option specified. The instructions in the above article will simply make bridged clients part of your ''lan'' zone. If you want to make them a separate zone, then you need to create a bridge/firewall as described at http://www.shorewall.net/bridge.html. If you have the need to make another problem report, please include the information requested at http://www.shorewall.net/support.htm. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.3/331 - Release Date: 2006/05/03 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.3/331 - Release Date: 2006/05/03 ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Werner vd Merwe wrote: >> >> I am fairly sure it is a Shorewall issue, but I am very new to Shorewall, >> having moved over from Turtlefirewall about a week ago. >> ... >> Policy: >> $FW all ACCEPT debug >> lan all ACCEPT debug >> ext all DROP debug >> vpn all ACCEPT debug >> all vpn ACCEPT debug> > May I suggest in the future, when you suspect that Shorewall is blocking > communication *look at your log* (see > http://www.shorewall.net/shorewall_logging.html). >I would also add that I think that logging ACCEPT policies is a really bad idea. It generates so much log noise that you can''t see what is really happening. A ''shorewall dump'' (as requested in the support article I referred to in my last post) only includes the last 10 ''Shorewall'' log messages -- if you have a connection problem, showing us 10 ACCEPTED connections usually isn''t going to give us any useful information. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> A ''shorewall dump'' (as requested in the support > article I referred to in my last post) only includes the last 10 > ''Shorewall'' log messages -- if you have a connection problem, showing us > 10 ACCEPTED connections usually isn''t going to give us any useful > information.I stand corrected -- ''dump'' shows the last *20* messages. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, I have done the changes as laid out in your mail and with reference to the webpages you pointed me to as far as I could discern what is applicable to my setup. I still have the same problem though. Please if you could point me in another direction I would appreciate it - I am fairly sure it is a small issue that I am overlooking. I have included the dump file, but /var/log/messages contain no info as to what is going on. My config now: Zones: lan lan ext internet Interfaces: lan br0 detect routeback ext ppp0 detect Policy: $FW all ACCEPT debug lan all ACCEPT debug ext all DROP debug Rules: ACCEPT all $FW tcp 22 ACCEPT:debug all $FW udp 1195 ACCEPT all $FW udp 1196 Masq: ppp0 br0 Tunnels: openvpnserver:1196 ext 0.0.0.0/0 Any further assistance will be greatly appreciated. Kind regards Werner -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: 04 May 2006 03:58 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall/OpenVPN issue Werner vd Merwe wrote:> > If two clients connect via OpenVPN (bridged), they can access each other > without any problems, but neither of them can access the server, nor any > system behind it. > > I am fairly sure it is a Shorewall issue, but I am very new to Shorewall, > having moved over from Turtlefirewall about a week ago.May I suggest in the future, when you suspect that Shorewall is blocking communication *look at your log* (see http://www.shorewall.net/shorewall_logging.html).> > Here my configs: > > IP Forwarding is enabled. > > Zones: > lan lan > ext internet > vpn tun > > Interfaces: > lan br0 detect > ext ppp0 detect norfc1918,routefilter > vpn tun0 detect > vpn tap0 detect >Please review the article at http://www.shorewall.net/OPENVPN.html#Bridge. It give instructions for configuring an OpenVPN bridge in Shorewall. In particular: - Bridge ports (such as tap0) are never listed in the interfaces file. - The bridge (br0) needs the ''routeback'' option specified. The instructions in the above article will simply make bridged clients part of your ''lan'' zone. If you want to make them a separate zone, then you need to create a bridge/firewall as described at http://www.shorewall.net/bridge.html. If you have the need to make another problem report, please include the information requested at http://www.shorewall.net/support.htm. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.3/331 - Release Date: 2006/05/03 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.3/331 - Release Date: 2006/05/03 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.3/331 - Release Date: 2006/05/03
Werner vd Merwe wrote:> Hi Tom, > > I have done the changes as laid out in your mail and with reference to the > webpages you pointed me to as far as I could discern what is applicable to > my setup. > > I still have the same problem though. Please if you could point me in > another direction I would appreciate it - I am fairly sure it is a small > issue that I am overlooking.Did you try to pass any traffic over the Bridged VPN connection after reset the counters at 17:01:46? Also, I see that you have LOGALLNEW=Yes yet there is nothing in the log. This indicates that the LOGFILE setting in shorewall.conf isn''t correct (there have been no logged messages in the log specified by LOGFILE since just before 1AM this morning). If you do get your logging straightened out, please don''t set LOGALLNEW=Yes before capturing a dump -- the log portion of the dump is almost assured to be worthless with LOGALLNEW=Yes.> > I have included the dump file, but /var/log/messages contain no info as to > what is going on.Again, that is a problem with your log configuration.> > My config now: > > Zones: > lan lan > ext internet > > Interfaces: > lan br0 detect routeback > ext ppp0 detectYou will also need tun0 for your routed VPN to work -- also, what is> > Policy: > $FW all ACCEPT debug > lan all ACCEPT debug > ext all DROP debug > > Rules: > ACCEPT all $FW tcp 22 > ACCEPT:debug all $FW udp 1195 > ACCEPT all $FW udp 1196 > > Masq: > ppp0 br0 > > Tunnels: > openvpnserver:1196 ext 0.0.0.0/0 > > > Any further assistance will be greatly appreciated.Since there was absolutely no traffic on br0 from the time that the counters were reset to the time that you took the dump, it''s difficult to learn anything from the dump. I *do* notice however that you have a ''tap1'' device so check your OpenVPN server configuration file -- you should have "dev tap0"; it looks like you may have "dev tap" which causes the OpenVPN server to create a second tap device rather that to use the one that you have configured on the bridge. That would be consistent with your not seeing any traffic on br0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> >> My config now: >> >> Zones: >> lan lan >> ext internet >> >> Interfaces: >> lan br0 detect routeback >> ext ppp0 detect > > You will also need tun0 for your routed VPN to work -- also, what isI see I didn''t complete this thought. Also, what is ''eth0''? I see traffic being passed on it and it has an IP configuration so it may need to be included in your interfaces file with a zone defined for it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Did you try to pass any traffic over the Bridged VPN connection after reset the counters at 17:01:46? I have tried again yes, even tcpdump on interface tap0 returns nothing coming from outside. From the server it does an ARP call, but gets nothing back. I *do* notice however that you have a ''tap1'' device so check your OpenVPN server configuration file -- you should have "dev tap0"; it looks like you may have "dev tap" which causes the OpenVPN server to create a second tap device rather that to use the one that you have configured on the bridge. That would be consistent with your not seeing any traffic on br0. The tap1 is a remnant of an earlier test, that interface does not show up with an ifconfig, restarted the box to ensure clean config. Also, what is ''eth0''? I see traffic being passed on it and it has an IP configuration so it may need to be included in your interfaces file with a zone defined for it. My connection is an ADSL connection, apologies for emitting that, eth0 is connected to the ADSL modem. I have rebooted the box, and now logging seems to work. Now at least I have logs to work off! Thanks for your help so far - I will investigate the logs and let you know - hopefully I can come right from here. Kind regards Werner -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.3/331 - Release Date: 2006/05/03 ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Werner vd Merwe wrote:> I have tried again yes, even tcpdump on interface tap0 returns nothing > coming from outside. From the server it does an ARP call, but gets nothing > back.THAT CANNOT BE A SHOREWALL PROBLEM! Shorewall cannot interfere with tcpdump and it cannot have any effect on ARP (unless you use the ''arp_filter'' and/or ''arp_ignore'' options in /etc/shorewall/interfaces).> > The tap1 is a remnant of an earlier test, that interface does not show up > with an ifconfig, restarted the box to ensure clean config. >From the ''shorewall dump'' I note the following (which is produced by ''ip -s link ls''): ... 65: tap0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue qlen 100 link/ether 00:ff:9d:db:60:a1 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 52766 316 0 5 0 0 ... 77: tap1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100 link/ether 00:ff:3b:3f:49:de brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 34200 272 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 So all incoming traffic is on tap1 and all outgoing traffic is on tap0. This is an OpenVPN issue, not a Shorewall issue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, Thanks so very much for your help - it has paved the way to success! It was a combination of a lot of the things you have suggested. Have a great day! Kind regards Werner -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: 04 May 2006 07:31 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall/OpenVPN issue Werner vd Merwe wrote:> I have tried again yes, even tcpdump on interface tap0 returns nothing > coming from outside. From the server it does an ARP call, but gets nothing > back.THAT CANNOT BE A SHOREWALL PROBLEM! Shorewall cannot interfere with tcpdump and it cannot have any effect on ARP (unless you use the ''arp_filter'' and/or ''arp_ignore'' options in /etc/shorewall/interfaces).> > The tap1 is a remnant of an earlier test, that interface does not show up > with an ifconfig, restarted the box to ensure clean config. >From the ''shorewall dump'' I note the following (which is produced by ''ip -s link ls''): ... 65: tap0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue qlen 100 link/ether 00:ff:9d:db:60:a1 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 52766 316 0 5 0 0 ... 77: tap1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100 link/ether 00:ff:3b:3f:49:de brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 34200 272 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 So all incoming traffic is on tap1 and all outgoing traffic is on tap0. This is an OpenVPN issue, not a Shorewall issue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.3/331 - Release Date: 2006/05/03 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.3/331 - Release Date: 2006/05/03 ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Werner vd Merwe wrote:> Thanks so very much for your help - it has paved the way to success!Glad that you got it working, Werner. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key