Hi, I have a basic network with Shorewall 4.08. It has one public interface, one corp, one dmz and one tun+ for OpenVPN. I masq the corp and dmz interfaces for internet access. The VPN users have access to the internal machines but now I need to give them a full tunnel so all traffic goes out through the VPN connection. I setup the redirect-gateway option in OpenVPN and I see the client gets the new routes/gateway. The problem is the VPN clients cant access the internet. I suspect I just need to masq the tun+ interface but I want to make sure. Here is the interface file #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routefilter,tcpflags,logmartians,nosmurfs corp eth1 detect tcpflags,nosmurfs dmz eth2 detect tcpflags,nosmurfs road tun+ Here is the tunnels file openvpnserver:tcp:1194 net 0.0.0.0/0 And the masq file #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 eth1 eth0 eth2 Should I change the masq file to #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 eth1 eth0 eth2 eth0 tun+ Thanks, Pete ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Pete wrote:> I setup the redirect-gateway option in OpenVPN and I see the client gets > the new routes/gateway. The problem is the VPN clients cant access the > internet. I suspect I just need to masq the tun+ interface but I want to > make sure.You need to masq tun+ and have a vpn->net policy of ACCEPT (or suitable rules). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Thanks! I added the following to the masq file eth0 tun+ And ran the check config, said all was good. I then restarted and there was an error. Sorry, I failed to get the error (I panicked). Should I do something like: eth0 10.10.21.0/24 10.10.21.0 is the VPN client subnet. The policy is in place to allow traffic. Pete -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Thursday, June 19, 2008 9:50 AM To: Shorewall Users Subject: Re: [Shorewall-users] OpenVPN redirect-gateway not working Pete wrote:> I setup the redirect-gateway option in OpenVPN and I see the client gets > the new routes/gateway. The problem is the VPN clients cant access the > internet. I suspect I just need to masq the tun+ interface but I want to > make sure.You need to masq tun+ and have a vpn->net policy of ACCEPT (or suitable rules). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Pete wrote:> Thanks! I added the following to the masq file > eth0 tun+ > > And ran the check config, said all was good. I then restarted and there was > an error. Sorry, I failed to get the error (I panicked). Should I do > something like: > eth0 10.10.21.0/24 > > 10.10.21.0 is the VPN client subnet. The policy is in place to allowYes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Thanks! that worked. One last question if I may. I have the following subnets: 10.10.10.0 dmz 10.10.20.0 corp 10.10.21.0 vpn1 10.10.22.0 vpn2 I need a rule that prevents the vpn2 subnet from accessing the other 3 subnets except the DNS server on 10.10.10.111 and the ability to go out the gateway to the internet. Vpn2 users are basically using us as a gateway to the net. Thanks, Pete -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Thursday, June 19, 2008 11:55 AM To: Shorewall Users Subject: Re: [Shorewall-users] OpenVPN redirect-gateway not working Pete wrote:> Thanks! I added the following to the masq file > eth0 tun+ > > And ran the check config, said all was good. I then restarted and therewas> an error. Sorry, I failed to get the error (I panicked). Should I do > something like: > eth0 10.10.21.0/24 > > 10.10.21.0 is the VPN client subnet. The policy is in place to allowYes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Pete wrote:> Thanks! that worked. > > One last question if I may. I have the following subnets: > 10.10.10.0 dmz > 10.10.20.0 corp > 10.10.21.0 vpn1 > 10.10.22.0 vpn2 > > I need a rule that prevents the vpn2 subnet from accessing the other 3That''s not a rule -- that is three policies: vpn2 dmz REJECT info vpn2 corp REJECT info vpn2 vpn1 REJECT info> subnets except the DNS server on 10.10.10.111 and the ability to go out the > gateway to the internet.And that is a policy and a rule: vpn2 net ACCEPT and DNS/ACCEPT vpn2 dmz:10.10.10.111 You might be able to reduce the four policies to two depending on if there are other zones: vpn2 net ACCEPT vpn2 all REJECT info in that order. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Humm, vpn1 and vpn2 are just subnets on the "road" zone which is the tun+ adaptor. They are not defined anywhere. Can I create 2 road zones and somehow tie them to the subnets rather than the adaptor? Thanks, Pete -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Friday, June 20, 2008 10:50 AM To: Shorewall Users Subject: Re: [Shorewall-users] OpenVPN redirect-gateway not working Pete wrote:> Thanks! that worked. > > One last question if I may. I have the following subnets: > 10.10.10.0 dmz > 10.10.20.0 corp > 10.10.21.0 vpn1 > 10.10.22.0 vpn2 > > I need a rule that prevents the vpn2 subnet from accessing the other 3That''s not a rule -- that is three policies: vpn2 dmz REJECT info vpn2 corp REJECT info vpn2 vpn1 REJECT info> subnets except the DNS server on 10.10.10.111 and the ability to go outthe> gateway to the internet.And that is a policy and a rule: vpn2 net ACCEPT and DNS/ACCEPT vpn2 dmz:10.10.10.111 You might be able to reduce the four policies to two depending on if there are other zones: vpn2 net ACCEPT vpn2 all REJECT info in that order. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Pete wrote:> Humm, vpn1 and vpn2 are just subnets on the "road" zone which is the tun+ > adaptor. They are not defined anywhere. Can I create 2 road zones and > somehow tie them to the subnets rather than the adaptor?Try this in your /etc/shorewall/hosts file: vpnA vpn+:10.10.21.0/24 vpnB vpn+:10.10.22.0/24 and in your zones file: vpnA:net ipv4 vpnB:net ipv4 Note the A & B instead of 1 & 2, due to the naming of chains created by shorewall - you don''t want to be looking at a chain called vpn22net and wondering where vpn22 is! :-) Paul ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php