# shorewall version 4.0.15 I''d like some advice, please. Aim: to route packets between two Shorewall systems with an OpenVPN connection between them, and to use the public IP addresses of each system to do so. Situation: I have a point to point OpenVPN between two Shorewall servers using tun addresses 172.16.92.1 and .2. I want packets from SystemA that are addressed to the external address of SystemB to be routed via the VPN. What I have done: DNAT all vpn:172.16.92.2 all - - $SystemB_ExtIP That works fine when the VPN is already established; however, it prevents the VPN from being established in the first place (presumably because the packets sent to establish the VPN are being DNAT''d to a currently unavailable address). Maybe I''m missing something obvious, or maybe I''m going about this the wrong way. I''d be grateful for others'' ideas. Thank you. ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
Keith Edmunds wrote:> # shorewall version > 4.0.15 > > I''d like some advice, please. > > Aim: to route packets between two Shorewall systems with an OpenVPN > connection between them, and to use the public IP addresses of each system > to do so. > > Situation: I have a point to point OpenVPN between two Shorewall servers > using tun addresses 172.16.92.1 and .2. I want packets from SystemA that > are addressed to the external address of SystemB to be routed via the VPN. > > What I have done: > > DNAT all vpn:172.16.92.2 all - - $SystemB_ExtIP > > That works fine when the VPN is already established; however, it prevents > the VPN from being established in the first place (presumably because the > packets sent to establish the VPN are being DNAT''d to a currently > unavailable address). > > Maybe I''m missing something obvious, or maybe I''m going about this the > wrong way. I''d be grateful for others'' ideas.Precede that DNAT rule with: NONAT $FW net:$SystemB_ExtIP udp 1194 That of course assumes that your OpenVPN tunnel uses UDP port 1194. Beware that this setup will will essentially prevent any traffic to systemB when OpenVPN is down. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
> NONAT $FW net:$SystemB_ExtIP udp 1194> That of course assumes that your OpenVPN tunnel uses UDP port 1194. > Beware that this setup will will essentially prevent any traffic tosystemB when OpenVPN is down. Not a Shorewall issue per se, but I used 6 boxes running OpenVPN and shorewall in a hub-spoke configuration... if i wanted to talk to individual routers I did so via IP routing on different subnets and used client-config-dir to push the routes to other each router (in case a particular router had more than one subnet hanging of it). So everything was accessed using internal IP addresses with traffic being routed over the VPN, imho thats a simpler and cleaner way of doing things. Regards Chris ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
Chris wrote:> Not a Shorewall issue per se, but I used 6 boxes running OpenVPN and > shorewall in a hub-spoke configuration... if i wanted to talk to individual > routers I did so via IP routing on different subnets and used > client-config-dir to push the routes to other each router (in case a > particular router had more than one subnet hanging of it). So everything was > accessed using internal IP addresses with traffic being routed over the VPN, > imho thats a simpler and cleaner way of doing things.Sorry, but I''m unclear; is there a question/problem hidden in there somewhere? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
>> Not a Shorewall issue per se, but I used 6 boxes running OpenVPN and >> shorewall in a hub-spoke configuration... if i wanted to talk to >> individual routers I did so via IP routing on different subnets and >> used client-config-dir to push the routes to other each router (in >> case a particular router had more than one subnet hanging of it). So >> everything was accessed using internal IP addresses with traffic being >> routed over the VPN, imho thats a simpler and cleaner way of doingthings.> Sorry, but I''m unclear; is there a question/problem hidden in theresomewhere? Hi Tom, no it''s not a problem, I was just stating that if you want to access the other router over the vpn tunnel in my opinion it''s better to use the internal routers IP address and setup the appropriate routes on each box. I was a little confused with the NAT rule to be honest. Regards Chris ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
On Wed, 03 Jun 2009 07:35:13 -0700, teastep@shorewall.net said:> Precede that DNAT rule with: > > NONAT $FW net:$SystemB_ExtIP udp 1194Thanks Tom, very much appreciated. Chris: I think I understand what you are saying, but the whole point of my question was to enable traffic addressed to the remote end *public* address to be routed via the VPN. Keith ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
I asked recently about routing packets via OpenVPN with the packets addressed to the public address of the remote end, and I wanted to know how to stop the packets that would establish the VPN from being routed over the as-yet non-existent VPN. Tom helpfully suggested: NONAT $FW net:$SystemB_ExtIP udp 1194 DNAT all vpn:172.16.92.2 all - - $SystemB_ExtIP That worked (thanks), and all packets originating in the LOC and DMZ of the firewall are routed over the VPN. However, if I ping SystemB_ExtIP from the firewall itself, the packet is routed over the VPN correctly but has a source address of the external IP whereas it needs to have a source address of the VPN. In other words, packets that originate on the firewall and that are destined for the public address of SystemB need to have their source IP set to 172.16.92.1. I hope I have been clear in my description of the problem. What do I need to do to achieve the desired result? Thanks, Keith ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
Keith Edmunds wrote:> However, if I ping SystemB_ExtIP from the firewall itself, the packet > is routed over the VPN correctly but has a source address of the > external IP whereas it needs to have a source address of the VPN. In > other words, packets that originate on the firewall and that are > destined for the public address of SystemB need to have their source > IP set to 172.16.92.1. > > I hope I have been clear in my description of the problem. What do I > need to do to achieve the desired result?With Shorewall, rewriting of the source IP address in outgoing connections is governed by /etc/shorewall/masq: <interface>:<dst IP> <incorrect src IP> <correct src IP> -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org