I am trying to make the following connection: WindowsXP(OpenVPN-Client)->shorewall->Internet->LinksysWRTG->OpenVPN-Server ...of course the reverse path too. The OpenVPN server is running in bridge mode. When the openVPN client is launched it looks like a successful connection is made. The openVPN client gets assigned an address from the openVPN server pool. The OpenVPN client''s routing table gets updated to include the following: ==========================================================================Active Routes: Network Destination Netmask Gateway Interface Metric a.b.c.0 255.255.255.0 a.b.c.250 a.b.c.250 30 a.b.c.250 255.255.255.255 127.0.0.1 127.0.0.1 30 a.b.c.255 255.255.255.255 a.b.c.250 a.b.c.250 30 where a.b.c is the sub-net of the bridged network, and the .250 address is the IP assigned to the OpenVPN client''s TAP device. So at this point I believe shorewall is out of the picture because any traffic going to a.b.c.0/24 should be going through the encrypted tunnel and shorewall would not do any filtering on this traffic. Is this a correct assumption? I ask this because I am unable to communicate with any devices on the a.b.c.0/24 network. I have read the following, but I do not believe they apply. http://www.shorewall.net/VPN.htm http://www.shorewall.net/manpages/shorewall-tunnels.html I did actually try to setup the OpenVPN client connection from the shorewall server too, but again I could never get it to work. Plus this is not really what I wanted, I was just trying something else. I basically kept getting a destination unreachable (PING) when the OpenVPN client was installed on the shorewall server. Again the TAP0 device seemed to get connected OK, but it did not matter how many changes I made to the policy, zones, interface, tunnels, and masq files; no combination gave me a successful result. I just want to make sure I am focusing my research in the right place. I don''t think this is a shorewall issue, but I wanted to get a second opinion. Thanks for your help. -- ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Scott Ruckh wrote:> > So at this point I believe shorewall is out of the picture because any traffic going to a.b.c.0/24 > should be going through the encrypted tunnel and shorewall would not do any filtering on this traffic. > Is this a correct assumption?Yes.> > I just want to make sure I am focusing my research in the right place. I don''t think this is a > shorewall issue, but I wanted to get a second opinion.Is there a firewall running on the XP box? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
This is what you said Tom Eastep> Scott Ruckh wrote: > >> >> So at this point I believe shorewall is out of the picture because any traffic going to a.b.c.0/24 >> should be going through the encrypted tunnel and shorewall would not do any filtering on this >> traffic. >> Is this a correct assumption? > > Yes. > >> >> I just want to make sure I am focusing my research in the right place. I don''t think this is a >> shorewall issue, but I wanted to get a second opinion. > > Is there a firewall running on the XP box?Yes, but I turned it off and it did not make a difference. The device (LinkSys NSLU2) running OpenVPN server is a single interface device which is NAT''d behind the LinkSysWRTG device. I have a working OpenVPN installation in routing mode where the OpenVPN server runs on the shorewall server, but this is my first bridge configuration where both OpenVPN client and OpenVPN server are NAT''d behind firewalls. Looks like I have a learning curve with the OpenVPN configuration and that would be off-topic for this list. Thanks. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Scott Ruckh
2008-Feb-19 19:13 UTC
Re: OpenVPN (bridge) -- is this a shorewall issue? [SOLVED]
The error was in the OpenVPN server''s configuration. When building the bridge I was using the tap0 device. Unfortunately, eventhough specifically documented in the comments of the server''s configuration file, I was only using the directive ''dev tap''. When OpenVPN server started it was actually using tap1. Once I changed the directive in the server''s config file to be ''dev tap0'' everything worked as documented. I hate stupid mistakes like this. I know it is off topic, but thought I would post back here just in case this might be helpful to someone. Thanks. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep
2008-Feb-19 19:52 UTC
Re: OpenVPN (bridge) -- is this a shorewall issue? [SOLVED]
Scott Ruckh wrote:> The error was in the OpenVPN server''s configuration. > > When building the bridge I was using the tap0 device. Unfortunately, eventhough specifically > documented in the comments of the server''s configuration file, I was only using the directive ''dev > tap''. When OpenVPN server started it was actually using tap1. Once I changed the directive in the > server''s config file to be ''dev tap0'' everything worked as documented.I''ve cut myself on that sharp edge too. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/