Hi list, I have a firewall setup where I have installed a openvpn server with multiple clients. Vpn establishment and client <-> server communication works well but now I want to allow client <-> client talk so, since I see that the fw show me on the logs "Shorewall:FORWARD:REJECT:IN=tap0 OUT=tap0 ...and so on..." I add a policy: vpn vpn ACCEPT. Shorewall create me correctly the chain vpn2vpn but on vpn_frwd it "forgot" to add the rule for the inter-vpn traffic! If I create by myself with the rule "iptables -A vpn_frwd -o tap+ -j vpn2vpn", all works like a charm. Is this a shorewall problem or I''m wrong somewhere? Thanks, Michele My conf on fw: - zones: vpn ipv4 - interfaces: vpn tap+ detect - policy: vpn vpn ACCEPT ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On Monday, June 21, 2010, 12:15:02, Michele Petrazzo - Unipex wrote:> Is this a shorewall problem or I'm wrong somewhere?Check out client-to-client option in OpenVPN's server config file, and the routeback interface option in shorewall's interfaces file. -- < Jernej Simončič ><><><><>< http://eternallybored.org/ > The bigger they are, the harder it is to see your shoes. -- Dolly Parton's Principle ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Michele Petrazzo - Unipex
2010-Jun-21 11:33 UTC
Re: openvpn multiple clients inter-routing
Jernej Simončič ha scritto:> On Monday, June 21, 2010, 12:15:02, Michele Petrazzo - Unipex wrote: > >> Is this a shorewall problem or I'm wrong somewhere? > > Check out client-to-client option in OpenVPN's server config file,already done> and > the routeback interface option in shorewall's interfaces file. >yes! it was! Thanks, Michele ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 6/21/10 4:33 AM, Michele Petrazzo - Unipex wrote:> > Jernej Simončič ha scritto: > > On Monday, June 21, 2010, 12:15:02, Michele Petrazzo - Unipex wrote: > > > >> Is this a shorewall problem or I''m wrong somewhere? > > > > Check out client-to-client option in OpenVPN''s server config file, > > already done > > > and > > the routeback interface option in shorewall''s interfaces file. > > > > yes! it was! > > Thanks, > Michele > > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED''s GeekDad team up for the Ultimate > GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >What Shorewall version are you running? Do you have your vpn setup in the interfaces file as well? ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
Michele Petrazzo - Unipex
2010-Jun-22 06:49 UTC
Re: openvpn multiple clients inter-routing
Keith Mitchell ha scritto:> What Shorewall version are you running? >Last from debian repo: 4.4.10.1> Do you have your vpn setup in the interfaces file as well? >No. Or better, no more than create the entry vpn into "interfaces" as said. Michele ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/21/10 11:49 PM, Michele Petrazzo - Unipex wrote:> Keith Mitchell ha scritto: >> What Shorewall version are you running? >> > > Last from debian repo: 4.4.10.1 > >> Do you have your vpn setup in the interfaces file as well? >> > > No. Or better, no more than create the entry vpn into "interfaces" as said. >We''re not making any progress here. Please: a) Remove the silly vpn->vpn ACCEPT policy (intra-ZONE traffic is always allowed by default). b) Be sure you have ''routeback'' in the tap+ entry in /etc/shorewall/interfaces. c) Reproduce the problem (REJECT:FORWARD log messages). d) Forward the output of ''shorewall dump'' as an email attachment. I have almost exactly the same setup and here is my vpn_frwd chain (note the last rule): Chain vpn_frwd (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * eth4 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0 Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo