Shorewall users - Jul 2010 - Allow openvpn from dedicated host behind firewall

Hello,

I''m trying to set up shorewall to allow traffic from a single
host behind the firewall to a remote network both connected
as openvpn clients to an openvpn-server on the internet.

|---------------|       |---------------|
|     local     |       |     local     |
|   vpn client  | ----- |   shorewall   |
| 191.168.0.159 |       |  192.168.0.1  |
|---------------|       |---------------|
                                 |
|---------------|       |---------------|
|     remote    |       |   internet    |
|   vpn client  | ----- |  vpn server   |
|  192.168.6.1  |       |               |
|---------------|       |---------------|


This scenario worked out completely without a running firewall
so it seems not to be a routing problem on the server.

My first approach to get this done was to open the port openvpn
needs to connect to the server and thought, that all traffic
will use this tunnel ... but this didn''t work out. Only the
tunnel will be established, but other traffic seems to be blocked.

ACCEPT          loc             net             tcp 1202

I''ve found several explanations to setup a vpn connection having
the openvpn client or server and the shorewall on the same host,
but no information helping me on this issue.

Is someone able to direct me to the solution?

Many thanks in advance.

Markus


------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

On 7/9/10 1:03 AM, Markus Plessing wrote:
> Hello,
> 
> I''m trying to set up shorewall to allow traffic from a single
> host behind the firewall to a remote network both connected
> as openvpn clients to an openvpn-server on the internet.
> 
> |---------------|       |---------------|
> |     local     |       |     local     |
> |   vpn client  | ----- |   shorewall   |
> | 191.168.0.159 |       |  192.168.0.1  |
> |---------------|       |---------------|
>                                  |
> |---------------|       |---------------|
> |     remote    |       |   internet    |
> |   vpn client  | ----- |  vpn server   |
> |  192.168.6.1  |       |               |
> |---------------|       |---------------|
> 
> 
> This scenario worked out completely without a running firewall
> so it seems not to be a routing problem on the server.
> 
> My first approach to get this done was to open the port openvpn
> needs to connect to the server and thought, that all traffic
> will use this tunnel ... but this didn''t work out. Only the
> tunnel will be established, but other traffic seems to be blocked.
> 
> ACCEPT          loc             net             tcp 1202
> 
> I''ve found several explanations to setup a vpn connection having
> the openvpn client or server and the shorewall on the same host,
> but no information helping me on this issue.
> 
> Is someone able to direct me to the solution?
If the tunnel is being established fully, then the firewall rules are
not the problem; traffic sent through the tunnel is not visible to the
firewall; all the firewall is aware of are the TCP 1202 packets and
responses.

Is the VPN server assigning addresses that are in the 192.168.0.0/24
network? That would account for the results you are seeing (connect the
client box directly to the internet and the tunnel would work; put it
behind the masquerading firewall and it would not work).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

Hi,

Tom Eastep schrieb:
> On 7/9/10 1:03 AM, Markus Plessing wrote:
>> Hello,
>>
>> I''m trying to set up shorewall to allow traffic from a single
>> host behind the firewall to a remote network both connected
>> as openvpn clients to an openvpn-server on the internet.
> [...]
> 
> If the tunnel is being established fully, then the firewall rules are
> not the problem; traffic sent through the tunnel is not visible to the
> firewall; all the firewall is aware of are the TCP 1202 packets and
> responses.
This is true according to my test and is the expected behaviour. I''m 
glad that I was not wrong with this. :)
> Is the VPN server assigning addresses that are in the 192.168.0.0/24
> network? That would account for the results you are seeing (connect the
> client box directly to the internet and the tunnel would work; put it
> behind the masquerading firewall and it would not work).
Yes there is masquerading on the network.

The shorewall box is running a openvpn server also, our business 
locations are connected by vpn.
There are plenty of interfaces and networks to handle this.

* eth0 and ppp0 to connect the first internet line, dedicated for
   internet access (192.168.2.0, local machine only)
* eth1 and ppp1 to connect the second internet line, dedicated to link
   the business locations (192.168.3.0, local machine only)
* eth2 to connect the local network (192.168.0.0)
* tun0-4 to connect the other business location or home workers 
(192.168.1.0 and home worker tunnels in 10.x.x.x networks ...)

There are only two entries in /etc/shorewall/masq at the moment
ppp0                    eth2
ppp1                    eth2

The entry in interfaces file for the local net is as follows
loc     eth2    detect    tcpflags,detectnets,nosmurfs,routeback

As I''ve understood, the packets with destination 192.168.6.0 are sent
through the established tunnel, but the answers get lost?

Is there a way to get this done with settings of shorewall or am I wrong 
here? I''m fairly new to this, sorry. Will be happy if someone kicks me 
into the right direction ...

Greetings, Markus


------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

On 7/9/10 1:20 PM, Markus Plessing wrote:
> Hi,
> 
> Tom Eastep schrieb:
>> On 7/9/10 1:03 AM, Markus Plessing wrote:
>>> Hello,
>>>
>>> I''m trying to set up shorewall to allow traffic from a
single
>>> host behind the firewall to a remote network both connected
>>> as openvpn clients to an openvpn-server on the internet.
>> [...]
>>
>> If the tunnel is being established fully, then the firewall rules are
>> not the problem; traffic sent through the tunnel is not visible to the
>> firewall; all the firewall is aware of are the TCP 1202 packets and
>> responses.
> 
> This is true according to my test and is the expected behaviour.
I''m
> glad that I was not wrong with this. :)
> 
>> Is the VPN server assigning addresses that are in the 192.168.0.0/24
>> network? That would account for the results you are seeing (connect the
>> client box directly to the internet and the tunnel would work; put it
>> behind the masquerading firewall and it would not work).
> 
> Yes there is masquerading on the network.
> 
> The shorewall box is running a openvpn server also, our business 
> locations are connected by vpn.
> There are plenty of interfaces and networks to handle this.
> 
> * eth0 and ppp0 to connect the first internet line, dedicated for
>    internet access (192.168.2.0, local machine only)
> * eth1 and ppp1 to connect the second internet line, dedicated to link
>    the business locations (192.168.3.0, local machine only)
> * eth2 to connect the local network (192.168.0.0)
> * tun0-4 to connect the other business location or home workers 
> (192.168.1.0 and home worker tunnels in 10.x.x.x networks ...)
> 
> There are only two entries in /etc/shorewall/masq at the moment
> ppp0                    eth2
> ppp1                    eth2
> 
> The entry in interfaces file for the local net is as follows
> loc     eth2    detect    tcpflags,detectnets,nosmurfs,routeback
Forget the Shorewall configuration; it is not relevant! Once the
connection is made, the only thing that is relevant is the IP
configuration and routing.

a) What IP address is being assigned to the client by the VPN server?
b) What does the routing table on the client look like when the VPN is
connected?
c) What does the routing table look like at the remote client machine
(192.168.6.1)?
> 
> As I''ve understood, the packets with destination 192.168.6.0 are
sent
> through the established tunnel, but the answers get lost?
I don''t have enough information yet to even guess.
> 
> Is there a way to get this done with settings of shorewall or am I wrong 
> here?
Again -- once the connection is made, the Shorewall configuration is not
relevant. This isn''t a Shorewall issue and cannot be solved with
Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

Hi,

Tom Eastep schrieb:
> On 7/9/10 1:20 PM, Markus Plessing wrote:
>> Hi,
>>
>> Tom Eastep schrieb:
>>> On 7/9/10 1:03 AM, Markus Plessing wrote:
>>>> Hello,
>>>>
>>>> I''m trying to set up shorewall to allow traffic from a
single
>>>> host behind the firewall to a remote network both connected
>>>> as openvpn clients to an openvpn-server on the internet.
>>> [...]
>>>
>>> If the tunnel is being established fully, then the firewall rules
are
>>> not the problem; traffic sent through the tunnel is not visible to
the
>>> firewall; all the firewall is aware of are the TCP 1202 packets and
>>> responses.
>> [...]
> 
> Forget the Shorewall configuration; it is not relevant! Once the
> connection is made, the only thing that is relevant is the IP
> configuration and routing.
> 
> a) What IP address is being assigned to the client by the VPN server?
Some extracted output from openvpn
ifconfig_local = ''10.8.2.2''
ifconfig_remote_netmask = ''10.8.2.1''
route 192.168.6.0/255.255.255.0/nil/nil
/sbin/ifconfig tun0 10.8.2.2 pointopoint 10.8.2.1 mtu 1500
/sbin/route add -net 192.168.6.0 netmask 255.255.255.0 gw 10.8.2.1
> b) What does the routing table on the client look like when the VPN is
> connected?
routes of host running the vpn-client:
Destination  Gateway      Genmask         Flags Metric Ref    Use Iface
10.8.2.1     *            255.255.255.255 UH    0      0        0 tun0
192.168.6.0  10.8.2.1     255.255.255.0   UG    0      0        0 tun0
192.168.0.0  *            255.255.255.0   U     1      0        0 eth0
link-local   *            255.255.0.0     U     1000   0        0 eth0
default      192.168.0.1  0.0.0.0         UG    0      0        0 eth0
> c) What does the routing table look like at the remote client machine
> (192.168.6.1)?
routes of openvpn server:
10.11.2.2    *            255.255.255.255 UH    0      0        0 tun0
10.10.2.2    *            255.255.255.255 UH    0      0        0 tun1
81.169.183.1 *            255.255.255.255 UH    0      0        0 eth0
10.8.2.2     *            255.255.255.255 UH    0      0        0 tun2
192.168.6.0  10.10.2.2    255.255.255.0   UG    0      0        0 tun1
192.168.1.0  10.11.2.2    255.255.255.0   UG    0      0        0 tun0
192.168.0.0  10.8.2.2     255.255.255.0   UG    0      0        0 tun2
default      81.169.183.1 0.0.0.0         UG    0      0        0 eth0

routes of the gateway of the destination network:
10.10.2.1    *            255.255.255.255 UH    0      0        0 tun0
192.168.6.0  *            255.255.255.0   U     0      0        0 br0
10.11.2.0    10.10.2.1    255.255.255.0   UG    0      0        0 tun0
92.250.155.0 *            255.255.255.0   U     0      0        0 vlan1
default      1.a2c-250-155.a 0.0.0.0      UG    0      0        0 vlan1

Some sort of horrible configuration, but as said, it worked out from 
within the network of the other business location (192.168.1.0)

The routes of the host with the working connection are:
10.11.2.1    *            255.255.255.255 UH    0      0        0 tun0
192.168.6.0  10.11.2.1    255.255.255.0   UG    0      0        0 tun0
10.10.2.0    10.11.2.1    255.255.255.0   UG    0      0        0 tun0
192.168.1.0  *            255.255.255.0   U     0      0        0 eth0
default      192.168.1.1  0.0.0.0         UG    0      0        0 eth0

The router of the network which the working client resist in is a two
interface router with one ppp connection and one tunnel to connect our
network. This router is iptables secured.
>> As I''ve understood, the packets with destination 192.168.6.0
are sent
>> through the established tunnel, but the answers get lost?
> 
> I don''t have enough information yet to even guess.
Is there a chance to guess now? My brain is totally fried.
>> Is there a way to get this done with settings of shorewall or am I
wrong
>> here?
> 
> Again -- once the connection is made, the Shorewall configuration is not
> relevant. This isn''t a Shorewall issue and cannot be solved with
Shorewall.
Ok, No shorewall issue, but hopeful that someone lightens things up.
> -Tom
>
Thanks in advance.

Markus


------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

On 7/12/10 3:20 AM, Markus Plessing wrote:
> Hi,
> 
> Tom Eastep schrieb:
>> On 7/9/10 1:20 PM, Markus Plessing wrote:
>>> Hi,
>>>
>>> Tom Eastep schrieb:
>>>> On 7/9/10 1:03 AM, Markus Plessing wrote:
>>>>> Hello,
>>>>>
>>>>> I''m trying to set up shorewall to allow traffic
from a single
>>>>> host behind the firewall to a remote network both connected
>>>>> as openvpn clients to an openvpn-server on the internet.
>>>> [...]
>>>>
>>>> If the tunnel is being established fully, then the firewall
rules are
>>>> not the problem; traffic sent through the tunnel is not visible
to the
>>>> firewall; all the firewall is aware of are the TCP 1202 packets
and
>>>> responses.
>>> [...]
>>
>> Forget the Shorewall configuration; it is not relevant! Once the
>> connection is made, the only thing that is relevant is the IP
>> configuration and routing.
>>
>> a) What IP address is being assigned to the client by the VPN server?
> 
> Some extracted output from openvpn
> ifconfig_local = ''10.8.2.2''
> ifconfig_remote_netmask = ''10.8.2.1''
> route 192.168.6.0/255.255.255.0/nil/nil
> /sbin/ifconfig tun0 10.8.2.2 pointopoint 10.8.2.1 mtu 1500
> /sbin/route add -net 192.168.6.0 netmask 255.255.255.0 gw 10.8.2.1
> 
>> b) What does the routing table on the client look like when the VPN is
>> connected?
> 
> routes of host running the vpn-client:
> Destination  Gateway      Genmask         Flags Metric Ref    Use Iface
> 10.8.2.1     *            255.255.255.255 UH    0      0        0 tun0
> 192.168.6.0  10.8.2.1     255.255.255.0   UG    0      0        0 tun0
> 192.168.0.0  *            255.255.255.0   U     1      0        0 eth0
> link-local   *            255.255.0.0     U     1000   0        0 eth0
> default      192.168.0.1  0.0.0.0         UG    0      0        0 eth0
> 
>> c) What does the routing table look like at the remote client machine
>> (192.168.6.1)?
> 
> routes of openvpn server:
> 10.11.2.2    *            255.255.255.255 UH    0      0        0 tun0
> 10.10.2.2    *            255.255.255.255 UH    0      0        0 tun1
> 81.169.183.1 *            255.255.255.255 UH    0      0        0 eth0
> 10.8.2.2     *            255.255.255.255 UH    0      0        0 tun2
> 192.168.6.0  10.10.2.2    255.255.255.0   UG    0      0        0 tun1
> 192.168.1.0  10.11.2.2    255.255.255.0   UG    0      0        0 tun0
> 192.168.0.0  10.8.2.2     255.255.255.0   UG    0      0        0 tun2
> default      81.169.183.1 0.0.0.0         UG    0      0        0 eth0
> 
> routes of the gateway of the destination network:
> 10.10.2.1    *            255.255.255.255 UH    0      0        0 tun0
> 192.168.6.0  *            255.255.255.0   U     0      0        0 br0
> 10.11.2.0    10.10.2.1    255.255.255.0   UG    0      0        0 tun0
> 92.250.155.0 *            255.255.255.0   U     0      0        0 vlan1
> default      1.a2c-250-155.a 0.0.0.0      UG    0      0        0 vlan1
The above gateway has no route to 10.8.2.0/24! So VPN clients assigned
an address in that network cannot access 192.168.6.0/24.
> 
> Some sort of horrible configuration, but as said, it worked out from 
> within the network of the other business location (192.168.1.0)
> 
> The routes of the host with the working connection are:
> 10.11.2.1    *            255.255.255.255 UH    0      0        0 tun0
> 192.168.6.0  10.11.2.1    255.255.255.0   UG    0      0        0 tun0
> 10.10.2.0    10.11.2.1    255.255.255.0   UG    0      0        0 tun0
> 192.168.1.0  *            255.255.255.0   U     0      0        0 eth0
> default      192.168.1.1  0.0.0.0         UG    0      0        0 eth0
Note that this working client was assigned IP address 10.11.2.1 -- there
*is* a route to that network from the destination network''s router.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first