Shorewall users - Mar 2008 - Hub/Spoke OpenVPN can't communicate from Client A to Client B - FORWARD:REJECT:IN=tun0 OUT=tun0

Hi, I am running OpenVPN where i have one central hub VPN server, and multiple
spoke VPN clients. I can ping from each client to the server and each client to
computers on the subnet which the server resides (192.168.2.0/24) so it works ok
there. I cannot however, ping from one client to another client. I guess the
packet path would go:
 
clienta ->  vpn -> shorewall/router -> vpn -> clientb
 
When i try to ping a different client on a different subnet i get:
 
C:\Users\Chris>ping 192.168.10.1
Pinging 192.168.10.1 with 32 bytes of data:
Reply from 172.16.1.1: Destination host unreachable.Reply from 172.16.1.1:
Destination host unreachable.
 
But as mentioned other routes work ok:
 
C:\Users\Chris>ping 172.16.1.1
Pinging 172.16.1.1 with 32 bytes of data:
Reply from 172.16.1.1: bytes=32 time=329ms TTL=64Reply from 172.16.1.1: bytes=32
time=328ms TTL=64
 
C:\Users\Chris>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=469ms TTL=64Reply from 192.168.2.1:
bytes=32 time=329ms TTL=64
 
C:\Users\Chris>ping 192.168.2.10
Pinging 192.168.2.10 with 32 bytes of data:
Reply from 192.168.2.10: bytes=32 time=332ms TTL=127Reply from 192.168.2.10:
bytes=32 time=335ms TTL=127
 
So as you can see the link is up and shorewall does let through the connections
to the local server subnet. On checking /var/log/messages i can see shorewall
has dropped packets destined for 192.168.10.1:
 
Mar 26 04:33:10 router-hq kernel: Shorewall:FORWARD:REJECT:IN=tun0 OUT=tun0
SRC=172.16.1.6 DST=192.168.10.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=31895
PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=25270
Mar 26 04:33:11 router-hq kernel: Shorewall:FORWARD:REJECT:IN=tun0 OUT=tun0
SRC=172.16.1.6 DST=192.168.10.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=31898
PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=25271
 
For info, here are my config files (same on server and client):
 
router-hq:~# cat
/etc/shorewall/interfaces################################################################################ZONE
INTERFACE       BROADCAST       OPTIONSlana    eth0            detect         
tcpflags,nosmurfslanb    eth1            detect          tcpflags,nosmurfsdmz   
eth2            detectnet     eth3            detect         
tcpflags,dhcp,routefilter,nosmurfs,logmartiansvpn     tun0#LAST LINE -- ADD YOUR
ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 
router-hq:~# cat
/etc/shorewall/zones################################################################################ZONE
TYPE    OPTIONS                 IN                      OUT#                    
OPTIONS                 OPTIONSfw      firewallnet     ipv4lana    ipv4lanb   
ipv4dmz     ipv4vpn     ipv4loc:lana,lanb   ipv4#LAST LINE - ADD YOUR ENTRIES
ABOVE THIS ONE - DO NOT REMOVE
 
router-hq:~# cat /etc/shorewall/policy# Policies for traffic originating from
the local LAN (loc)## If you want to force clients to access the Internet via a
proxy server# in your DMZ, change the following policy to REJECT info.lana      
net             ACCEPTlanb            net             ACCEPTlana            lanb
ACCEPTlanb            lana            ACCEPT
# vpnlana            vpn             ACCEPTlanb            vpn            
ACCEPTvpn             lana            ACCEPTvpn             lanb           
ACCEPTvpn             $FW             ACCEPT
# to ACCEPT.  (If you chose not to do this, you will need to add a rule# for
each service in the rules file.)#loc            dmz             REJECT         
infolana            $FW             ACCEPTlanb            $FW            
ACCEPT#loc            all             REJECT          info
## Policies for traffic originating from the firewall ($FW)## If you want open
access to the Internet from your firewall, change the# $FW to net policy to
ACCEPT and remove the ''info'' LOG LEVEL.
$FW             net             ACCEPT$FW             dmz             REJECT    
info$FW             lana            ACCEPT$FW             lanb           
ACCEPT$FW             vpn             ACCEPT
$FW             all             REJECT          info
## Policies for traffic originating from the De-Militarized Zone (dmz)## If you
want open access from DMZ to the Internet change the following# policy to
ACCEPT.  This may be useful if you run a proxy server in# your DMZ.
dmz             net             REJECT          infodmz             $FW         
REJECT          infodmz             loc             REJECT          infodmz     
all             REJECT          info
## Policies for traffic originating from the Internet zone (net)#
net             dmz             DROP            infonet             $FW         
DROP            infonet             loc             DROP            infonet     
all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
 
Given shorewall is discarding Shorewall:FORWARD:REJECT:IN=tun0 OUT=tun0, even
adding this line to /etc/shorewall/policy it doesnt work:
 
vpn  vpn  ACCEPT
 
Just for background info on my vpn setup, here is the config on my hub router: 
 
router-hq:~# cat /etc/openvpn/sitelink.conf#Begin server.conf port 1194proto
udpdev tun ca sitelink/ca.crt
cert sitelink/router-hq.mydomain.com.crtkey sitelink/router-hq.mydomain.com.key 
dh sitelink/dh2048.pem 
server 172.16.1.0 255.255.255.0client-config-dir
/etc/openvpn/sitelink/client-config
route 192.168.10.0 255.255.255.0route 192.168.20.0 255.255.255.0route
192.168.30.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"push "route 192.168.10.0
255.255.255.0"push "route 192.168.20.0 255.255.255.0"push
"route 192.168.30.0 255.255.255.0"
keepalive 10 120comp-lzopersist-keypersist-tunstatus server-tcp.log
verb 3
management 192.168.2.1 12345 /etc/openvpn/mgmntpass# end
And here is one the clients config, they are almost identical apart from
different certificates specified for each individual client:
 
router-clia:~# cat /etc/openvpn/hq.conf#Begin client.conf clientdev tun
route-method exeroute-delay 2
remote 100.100.100.100 1194
resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert
router-clia.mydomain.com.crtkey router-clia.mydomain.com.keyns-cert-type
servercomp-lzoverb 3
So in summary, how can i route packets which come in over tun0/vpn back out via
the same interface? In the future, i would like to lock this down further and
block certain ports to certain vpn client address subnets. I have RTFM but
couldn''t see nor understand how to apply the options to my scenario.
Sorry if i have missed something, I greatly appreciate the help.
 
Many thanks in advance,
 
Chris
_________________________________________________________________
Win 100’s of Virgin Experience days with BigSnapSearch.com
http://www.bigsnapsearch.com

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

On Wed, Mar 26, 2008 at 06:30:51AM +0000, Chris Morley
wrote:
> So in summary, how can i route packets which come in over tun0/vpn
> back out via the same interface?
Without looking at the problem, my bet''s on
''routeback''.

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Thanks for the fast reply and resolution! I added routeback to the vpn interface
as per the file below and it all started working:
 
router-hq:~# cat
/etc/shorewall/interfaces################################################################################ZONE
INTERFACE       BROADCAST       OPTIONSlana    eth0            detect         
tcpflags,nosmurfslanb    eth1            detect          tcpflags,nosmurfsdmz   
eth2            detectnet     eth3            detect         
tcpflags,dhcp,routefilter,nosmurfs,logmartiansvpn     tun0            -         
routeback#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEFYI i
also pushed the route "172.16.1.0 255.255.255.0" to clients so they
could also connect direct to vpn end points should any road warriors dial in.
 
Thanks very much for the help,
 
Chris


> Date: Wed, 26 Mar 2008 06:40:08 +0000> From:
asuffield@suffields.me.uk> To: shorewall-users@lists.sourceforge.net>
Subject: Re: [Shorewall-users] Hub/Spoke OpenVPN can''t communicate from
Client A to Client B - FORWARD:REJECT:IN=tun0 OUT=tun0> > On Wed, Mar 26,
2008 at 06:30:51AM +0000, Chris Morley wrote:> > So in summary, how can i
route packets which come in over tun0/vpn> > back out via the same
interface?> > Without looking at the problem, my bet''s on
''routeback''.> >
------------------------------------------------------------------------->
Check out the new SourceForge.net Marketplace.> It''s the best place
to buy or sell services for> just about anything Open Source.>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace>
_______________________________________________> Shorewall-users mailing
list> Shorewall-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_________________________________________________________________
Welcome to the next generation of Windows Live
http://www.windowslive.co.uk/get-live

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

It´s missing the "client-to-client" option in your OpenvPN
configuration.

-Gilson


On 3/26/08, Andrew Suffield <asuffield@suffields.me.uk>
wrote:
>
> On Wed, Mar 26, 2008 at 06:30:51AM +0000, Chris Morley wrote:
> > So in summary, how can i route packets which come in over tun0/vpn
> > back out via the same interface?
>
> Without looking at the problem, my bet''s on
''routeback''.
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It''s the best place to buy or sell services for
> just about anything Open Source.
>
>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-- 
Gilson Soares
Gerência de Redes e Segurança
Kobold Gestora de Fundos Ltda


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

I don´t know the inner working of OpenVPN, but I suppose using
"client-to-client" option make the OpenVPN daemon do the routing, not
even
leave the packets go thru O.S. routes.
I have several similar setups and never need to use routeback option. Just
"client-to-client" solved this problem.

-Gilson


On 3/26/08, Chris Morley <g18c@hotmail.com> wrote:
>
> Thanks for the fast reply and resolution! I added routeback to the
> vpn interface as per the file below and it all started working:
>
> router-hq:~# cat /etc/shorewall/interfaces
>
>
###############################################################################
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> lana    eth0            detect          tcpflags,nosmurfs
> lanb    eth1            detect          tcpflags,nosmurfs
> dmz     eth2            detect
> net     eth3            detect
> tcpflags,dhcp,routefilter,nosmurfs,logmartians
> vpn     tun0            -               routeback
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> FYI i also pushed the route "172.16.1.0 255.255.255.0" to clients
so they
> could also connect direct to vpn end points should any road warriors dial
> in.
>
> Thanks very much for the help,
>
> Chris
>
> ------------------------------
>
> > Date: Wed, 26 Mar 2008 06:40:08 +0000
> > From: asuffield@suffields.me.uk
> > To: shorewall-users@lists.sourceforge.net
> > Subject: Re: [Shorewall-users] Hub/Spoke OpenVPN can''t
communicate from
> Client A to Client B - FORWARD:REJECT:IN=tun0 OUT=tun0
> >
> > On Wed, Mar 26, 2008 at 06:30:51AM +0000, Chris Morley wrote:
> > > So in summary, how can i route packets which come in over
tun0/vpn
> > > back out via the same interface?
> >
> > Without looking at the problem, my bet''s on
''routeback''.
> >
> >
> -------------------------------------------------------------------------
> > Check out the new SourceForge.net Marketplace.
> > It''s the best place to buy or sell services for
> > just about anything Open Source.
> >
>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
> ------------------------------
> Have you played Fishticuffs? Get fish-slapping on
Messenger<http://www.fishticuffs.co.uk/>
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It''s the best place to buy or sell services for
> just about anything Open Source.
>
>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

-- 
Gilson Soares
Gerência de Redes e Segurança
Kobold Gestora de Fundos Ltda


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Gilson Soares wrote:
> It´s missing the "client-to-client" option in your OpenvPN
configuration.
client-to-client is only applicable to bridged configurations -- the OP 
is using a routed OpenVPN setup.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Gilson Soares wrote:
> I don´t know the inner working of OpenVPN, but I suppose using 
> "client-to-client" option make the OpenVPN daemon do the routing,
not
> even leave the packets go thru O.S. routes.
> I have several similar setups and never need to use routeback option. 
> Just "client-to-client" solved this problem.
I''m just saying that we''ve had reports that
''client-to-client'' is
ineffective in routed setups. I haven''t tried it. But I do use 
''client-to-client'' with my bridged configuration and it works
fine.

Can you confirm that ''client-to-client'' works in a ROUTED
OpenVPN
configuration?

-Tom (who wonders if he inadvertently dropped in on #openvpn)
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

only use ROUTED OpenVPN.
As I said, I have several OpenVPN installations with Shorewall (obviuos).
And there a mix of remote endpoints and remote networks in the same Linux
box. "client-to-client" does the job.
Only one special consideration is when you have site-to-site tunnel, you
need also include " iroute" option to the remote network.

-- 
Gilson Soares
Gerência de Redes e Segurança
Kobold Gestora de Fundos Ltda

PS: I forgot to send to the list.


On 3/27/08, Tom Eastep <teastep@shorewall.net>
wrote:
>
> Gilson Soares wrote:
> > I don´t know the inner working of OpenVPN, but I suppose using
> > "client-to-client" option make the OpenVPN daemon do the
routing, not
> > even leave the packets go thru O.S. routes.
> > I have several similar setups and never need to use routeback option.
> > Just "client-to-client" solved this problem.
>
> I''m just saying that we''ve had reports that
''client-to-client'' is
> ineffective in routed setups. I haven''t tried it. But I do use
> ''client-to-client'' with my bridged configuration and it
works fine.
>
> Can you confirm that ''client-to-client'' works in a ROUTED
OpenVPN
> configuration?
>
> -Tom (who wonders if he inadvertently dropped in on #openvpn)
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>

-- 
Gilson Soares
Gerência de Redes e Segurança
Kobold Gestora de Fundos Ltda


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

On 3/27/08, Tom Eastep <teastep@shorewall.net>
wrote:
>
> Gilson Soares wrote:
> > It´s missing the "client-to-client" option in your OpenvPN
> configuration.
>
> client-to-client is only applicable to bridged configurations -- the OP
> is using a routed OpenVPN setup.
>
> -Tom


Not true.

I just reproduce this. I commented out "client-to-client" and a branch
office no longer pings another branch.
Enabling it, the ping works again.

-- 
Gilson Soares
Gerência de Redes e Segurança
Kobold Gestora de Fundos Ltda


--
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace