dear list! I''m currently trying to connect two LANs via an openvpn-tunnel from router to router (with their LAN-IPs). So far each router is able to ping all computers on the other end of the tunnel. What I still can''t get to work is the connection from one computer to the router or any other on the other end. And I currently can''t think of any reason why it shouldn''t. Both routers are the default gateways for their LAN. I don''t think I need to setup any kind of masquerading for this to work. All tunnels on either side are in the "loc" zone and loc2loc is accepted per policy. Here are the interfaces and routes: Site1: eth0: inet 192.168.0.127/24 brd 192.168.0.255 scope global eth0 eth1: internet ppp0: internet tun0: inet 192.168.203.1 peer 192.168.203.2/32 scope global tun0 (incoming tunnel) tun2: inet 192.168.202.10 peer 192.168.202.9/32 scope global tun2 (outgoing tunnel) Ziel Router Genmask Flags Metric Ref Use Iface 192.168.203.2 * 255.255.255.255 UH 0 0 0 tun0 192.168.202.9 * 255.255.255.255 UH 0 0 0 tun2 172.25.46.23 * 255.255.255.255 UH 0 0 0 ppp0 192.168.100.0 192.168.202.9 255.255.255.0 UG 0 0 0 tun2 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 192.168.203.0 192.168.203.2 255.255.255.0 UG 0 0 0 tun0 192.168.202.0 192.168.202.9 255.255.255.0 UG 0 0 0 tun2 default 172.25.46.23 0.0.0.0 UG 0 0 0 ppp0 Site2: eth0: internet eth1: 192.168.100.254/24 brd 192.168.0.255 scope global eth1 ppp0: internet tun0: inet 192.168.202.1 peer 192.168.202.2/32 scope global tun0 (incoming tunnel) tun2: inet 192.168.203.6 peer 192.168.203.5/32 scope global tun2 (outgoing tunnel) Ziel Router Genmask Flags Metric Ref Use Iface 192.168.203.5 * 255.255.255.255 UH 0 0 0 tun2 192.168.202.2 * 255.255.255.255 UH 0 0 0 tun0 172.25.46.23 * 255.255.255.255 UH 0 0 0 ppp0 192.168.100.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 192.168.203.5 255.255.255.0 UG 0 0 0 tun2 192.168.203.0 192.168.203.5 255.255.255.0 UG 0 0 0 tun2 192.168.202.0 192.168.202.2 255.255.255.0 UG 0 0 0 tun0 loopback * 255.0.0.0 U 0 0 0 lo default 172.25.46.23 0.0.0.0 UG 0 0 0 ppp0 thanks in advance for any help provided greets roman ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>Both routers are the default gateways for their LAN. I don''t think I need >to setup any kind of masquerading for this to work.I''m fairly certain that you do need to setup some masquerading for this to work. I''m having a bit of a hard time visualizing your configuration because your tun interfaces appear to use a different IP subnet than your internal Ethernet interfaces, but it sounds like a simple entry in the masq file is all you''re missing. Probably something like: tun1 eth0 tun2 eth0 I tend to get these backwards, so you might need to experiment or wait until someone with more experience responds. Also, why use two tunnels instead of just one? It seems like you could achieve the same results but with just one tunnel. -Russel -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.26/600 - Release Date: 12/23/2006 4:47 PM ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
hy again! thanks for your answer!> I''m fairly certain that you do need to setup some masquerading for this to > work.AFAIK masquerading is only needed if one part of the network is not able to address another directly (with its original IP), which should not be the case here. So I still hope I can do this with routing (hence the different subnets) instead of masquerading.> Also, why use two tunnels > instead of just one? It seems like you could achieve the same results buts > with just one tunnel.Yes it would be possible to do this with just one tunnel, but doing it with two has some configuration advantages. This way each VPN server has to know only how to reach its LAN (and push the corresponding route to its clients). But this two tunnel thingy is all based on the assumption that the way of the pakets can be different in the two directions. I will however test it with just one tunnel, though I think it should work with two too. I made a little sketch of the network layout as it is currently set up. It''s attached as PNG. Roman ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi, 1) Did you check the shorewall-tunnels file? 2) Did you verify if openvpn is dropping the packet or iptables? 3) Did you add the policy on both nodes? You can do the second by checking the openvpn.log file, and the shorewall.log file (assuming you''ve gotten ulogd installed). Also, one VPN tunnel is sufficient. You really don''t need two. Please follow http://www.shorewall.net/OPENVPN.html for the openVPN setup. Also, if you still need help, please follow the steps provided at http://shorewall.net/support.htm That''ll help us help you much better, Prasanna. On 12/24/06, roman <ladoo@gmx.at> wrote:> hy again! > > thanks for your answer! > > > I''m fairly certain that you do need to setup some masquerading for this to > > work. > > AFAIK masquerading is only needed if one part of the network is not able to > address another directly (with its original IP), which should not be the case > here. So I still hope I can do this with routing (hence the different > subnets) instead of masquerading. > > > Also, why use two tunnels > > instead of just one? It seems like you could achieve the same results buts > > with just one tunnel. > > Yes it would be possible to do this with just one tunnel, but doing it with > two has some configuration advantages. This way each VPN server has to know > only how to reach its LAN (and push the corresponding route to its clients). > > But this two tunnel thingy is all based on the assumption that the way of the > pakets can be different in the two directions. I will however test it with > just one tunnel, though I think it should work with two too. > > I made a little sketch of the network layout as it is currently set up. It''s > attached as PNG. > > Roman > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
[When posting command output to English mailing lists, please set LC_ALL=C - in this case we all know what the headers emitted by route mean, but that''s not always the case] On Sun, Dec 24, 2006 at 11:33:46AM +0100, roman wrote:> > I''m fairly certain that you do need to setup some masquerading for this to > > work. > > AFAIK masquerading is only needed if one part of the network is not able to > address another directly (with its original IP), which should not be the case > here. So I still hope I can do this with routing (hence the different > subnets) instead of masquerading.Masquerading is not necessary here.> > Also, why use two tunnels > > instead of just one? It seems like you could achieve the same results buts > > with just one tunnel. > > Yes it would be possible to do this with just one tunnel, but doing it with > two has some configuration advantages. This way each VPN server has to know > only how to reach its LAN (and push the corresponding route to its clients). > > But this two tunnel thingy is all based on the assumption that the way of the > pakets can be different in the two directions. I will however test it with > just one tunnel, though I think it should work with two too.What you''re trying to say is that it''s based on the assumption that assymetric routing is possible. It is possible, but you *must* disable rp_filter for it to work (shorewall refers to this as "route filtering" - I''m not sure why it uses a different name). It''s not really a good idea to do this when you don''t actually need to - return-path filtering is a useful sanity check against address spoofing. I don''t know why you think having two tunnels is easier. One p2p tunnel should be vastly simpler to configure. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
hi! Thanks for your help. I have now (at last) one working tunnel with a configuration very close to the "Bridging two Masqueraded Networks"-example on shorewall.net. Now it leaves me with another question: I have indeed 3 networks which should ideally be connected with each other. This means each router needs 2 tunnels to connect it to the other routers and if there are some roadwarriors yet another openvpn-instance for them. Am I right on this, or is there a more elegant solution to this? greets ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Choices depend on whether you want point to point between all three sites, or whether you can take the hit of one extra hop. In the latter case, you can simply setup one server and make all else clients. All traffic will be routed through your server of course. Prasanna. On 12/25/06, roman <ladoo@gmx.at> wrote:> hi! > > Thanks for your help. > > I have now (at last) one working tunnel with a configuration very close to > the "Bridging two Masqueraded Networks"-example on shorewall.net. Now it > leaves me with another question: > > I have indeed 3 networks which should ideally be connected with each other. > This means each router needs 2 tunnels to connect it to the other routers and > if there are some roadwarriors yet another openvpn-instance for them. Am I > right on this, or is there a more elegant solution to this? > > greets > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
roman wrote:>I have indeed 3 networks which should ideally be connected with each other. >This means each router needs 2 tunnels to connect it to the other routers and >if there are some roadwarriors yet another openvpn-instance for them. Am I >right on this, or is there a more elegant solution to this?As is often the case, only you can answer that ! It''s you''re network and only you can say what suits you. Back in the days when leased lines (aka point-point or private circuits), it would be common to have a hub and spoke arrangement - making the main data centre the hub in most cases. Traffic between any two spokes would have to flow through the hub. This is the easiest to set up, any time you have to add/remove a spoke you only have to modify the hub and that spoke. It also scales well since for n sites there are n-1 links. The downside is the inefficiency of routing all your traffic though the one site. With VPN you don''t have the cost (multiple leased lines) or hardware (number of serial ports) constraints you you will probably want what is usually called a "fully meshed" network - every site is connected to every other site. It''s more efficient because you don''t route all the traffic through one hub - but it''s harder to manage because every change affects every site, and the number of links (in this case tunnels) goes up dramatically with the number of links. For only three sites then there''s little argument - just go meshed. Howeveer, if you have any expectations of adding more sites, sit down before you start and think about your addressing/naming schemes - it''s easier to be logical from the start than to renumber networks later (been there, got the T-shirt !). ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
hi again!> For only three sites then there''s little argument - just go meshed. > Howeveer, if you have any expectations of adding more sites, sit down > before you start and think about your addressing/naming schemes - > it''s easier to be logical from the start than to renumber networks > later (been there, got the T-shirt !).thank you for your explanations! I will do a meshed network for this 3 sites. But I think it could be possible to consolidate the configuration a bit: Except for the routes all configurations are nearly the same. So if all the routes were pushed to the peers I would have to configure them only once for each network. The question is: Is it possible to push configurations in both directions? I did some tests of my own but as of now I didn''t get it to work... greets Roman ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Mon, Dec 25, 2006 at 12:44:22PM +0100, roman wrote:> > For only three sites then there''s little argument - just go meshed. > > Howeveer, if you have any expectations of adding more sites, sit down > > before you start and think about your addressing/naming schemes - > > it''s easier to be logical from the start than to renumber networks > > later (been there, got the T-shirt !). > > thank you for your explanations! > > I will do a meshed network for this 3 sites. But I think it could be possible > to consolidate the configuration a bit: > > Except for the routes all configurations are nearly the same. So if all the > routes were pushed to the peers I would have to configure them only once for > each network. The question is: Is it possible to push configurations in both > directions?This is really an openvpn question, not a shorewall one, but anyway... "push" and "pull" are intended for server/dumb-client mode, they aren''t appropriate here. Use "up" instead, so all the configuration for a given host is stored on that host. Something like: ifconfig 10.1.0.2 10.1.0.1 up ip route add 10.2.0.0/24 via 10.1.0.1 (Filling in the appropriate addresses) ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
hi!> This is really an openvpn question, not a shorewall one, but anyway...I know - sorry for that.> "push" and "pull" are intended for server/dumb-client mode, they > aren''t appropriate here.So something like push/pull is clearly not applicable in p2p-mode.> Use "up" instead, so all the configuration > for a given host is stored on that host.Yes i do that at the moment. But that''s what my question was all about: Wheter it is possible to have the configuration distributed via push (and stored only on one system for each network). It''s a pitty it isn''t possible to do this that way. thanks again! ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
roman wrote:> hi! > >> This is really an openvpn question, not a shorewall one, but anyway... > > I know - sorry for that. > > Yes i do that at the moment. But that''s what my question was all about: > Wheter > it is possible to have the configuration distributed via push (and stored > only on one system for each network). > > It''s a pitty it isn''t possible to do this that way.Please take this onto an appropriate list -- the discussion has nothing to do with Shorewall and everything to do with OpenVPN. The OpenVPN list is very active and responsive to user''s questions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV