Hi Guys, I''ve read many times and for several months going back and forth to all the information Shorewall has for OpenVPN configurations for shorewall, but this all seems to work for a VPN that is just point to point with just one client and server, home/office, etc., not a OpenVPN service provider, which is still an OpenVPN implementation, but it''s also more of a VPN Proxy... And my problem is I''m using a VPN service, like many of them you can find online offering VPN... OpenVPN actually has a VPN service, so does Comodo and many more companies, this is like what I''m using below; https://www.shieldexchange.com/ http://www.comodo.com/trustconnect/ So when I''m using one of these VPN services I don''t need to use any rules, tunnels, or hosts, all I''ve been using that I can figure out to make this work, is just the interfaces, policy and zones and everything seems to work ok, but I have one problem I''m trying to understand. If I''m connected to a VPN, as an example and downloading with a P2P client for torrents, I see the logs always getting filled up from the IPs of clients on the torrent tracker hitting shorewall to my DST router IP and dropping them. Or if I place in one of the openvpn client.conf files; redirect-gateway def1, then I see shorewall dropping again from the SRC IPs from the people on the tracker, but this time going to the DST IP of the gateway. Either way, why should I even see anything of this in the first place? My understanding is if I''m on a VPN, connected to that, then this is my only IP being broadcasted that anyone can see, so when the other torrent clients see that IP coming from the VPN I''m using, then those clients, I''m assuming should be trying to make connections to that, by passing me and hitting the VPN server for any connectivity and getting either accepted or dropped there. So why then sitting behind a VPN am I seeing traffic on shorewall''s logs like it was coming to me, hitting my box? This doesn''t make sense to me... Below is the log file while I was using redirect-gateway def1; http://pastebin.com/yGHjmb67 In the log I pasted above you''ll see the DST=10.10.11.18 that is the VPN gateway, again I don''t get why I am seeing this and these drops aren''t just happening at the server side and not me... Then if I remove from the client.conf redirect-gateway def1, then all the DST=192.168.1.3, again why is shorewall dropping packets in the first place while on a VPN? So my whole point I''m trying to ask is, when I''m on a VPN why would I still see Shorewall dropping traffic? Because the traffic should not be seeing me, it should see the VPN and this is where I''m confused, it''s like I''m still there visible when I''m not suppose to be... I hope there is someone on the mailing list that uses Shorewall with a VPN service that can help me to set up shorewall correctly, unless it doesn''t matter and all the information about OpenVPN and how to set it up is all the same no matter how you use OpenVPN with shorewall... So besides interfaces, policy and zones what else should I have setup for a VPN service? THANKS ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On 21/08/2011 05:24, Das wrote:> So my whole point I''m trying to ask is, when I''m on a VPN why would I > still see Shorewall dropping traffic? Because the traffic should not > be seeing me, it should see the VPN and this is where I''m confused, > it''s like I''m still there visible when I''m not suppose to be...Random thought, but did you fire up the application BEFORE starting openvpn? Presumably it runs some heuristics to figure out what your public IP address is, and if this were run before you started openvpn then it would be telling your clients the "wrong" address? Ed W ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
Hi, No I always start the VPN first then the applications afterwards... By the this is what I have so far; Interfaces; http://pastebin.com/sDm77XrU Policy; http://pastebin.com/aN0wa3Nw Rules; http://pastebin.com/QLGBBRLG Even with what I''m using right now, it seems to be working ok, I just realized, at least it seems like, that when I''m going over the vpn, even though the application uses TCP, since the VPN is UDP I need to have that listed in the rules, so you''ll see I added it in as tcp,udp and I noticed less problems with the logs flooding dropping then. Where as if I just only had tcp, then I''d see at times UDP was being dropped and since I added it in, I no longer saw it being dropped. Strange thing though, I''m sitting behind a nat router and I never forwarded the ports on the router, only used the rules in Shorewall and it seemed to work just fine and route me over the VPN, which I also thought how can that be... But I figure I should be opening the ports that the VPN needs is all. So besides the interfaces, policy and rules, to use OpenVPN with a VPN service like I''ve explained should I use also tunnels, or hosts? Tom said I need one, not both and I think it was tunnels like this; #TYPE ZONE GATEWAY GATEWAY ZONE openvpn net 134.28.54.2 And I believe he said for the gateway IP, to use the actual IP I''m connected to... THANKS On Sun, Aug 21, 2011 at 12:21 AM, Ed W <lists@wildgooses.com> wrote:> On 21/08/2011 05:24, Das wrote: >> So my whole point I''m trying to ask is, when I''m on a VPN why would I >> still see Shorewall dropping traffic? Because the traffic should not >> be seeing me, it should see the VPN and this is where I''m confused, >> it''s like I''m still there visible when I''m not suppose to be... > > Random thought, but did you fire up the application BEFORE starting > openvpn? Presumably it runs some heuristics to figure out what your > public IP address is, and if this were run before you started openvpn > then it would be telling your clients the "wrong" address? > > Ed W > > ------------------------------------------------------------------------------ > Get a FREE DOWNLOAD! and learn more about uberSVN rich system, > user administration capabilities and model configuration. Take > the hassle out of deploying and managing Subversion and the > tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
Sorry typo before, meant to say; By the way this is what I have so far; THANKS On Sun, Aug 21, 2011 at 12:33 PM, Das <dasfox@gmail.com> wrote:> Hi, > > No I always start the VPN first then the applications afterwards... > > By the this is what I have so far; > > Interfaces; > http://pastebin.com/sDm77XrU > > Policy; > http://pastebin.com/aN0wa3Nw > > Rules; > http://pastebin.com/QLGBBRLG > > Even with what I''m using right now, it seems to be working ok, I just > realized, at least it seems like, that when I''m going over the vpn, > even though the application uses TCP, since the VPN is UDP I need to > have that listed in the rules, so you''ll see I added it in as tcp,udp > and I noticed less problems with the logs flooding dropping then. > Where as if I just only had tcp, then I''d see at times UDP was being > dropped and since I added it in, I no longer saw it being dropped. > > Strange thing though, I''m sitting behind a nat router and I never > forwarded the ports on the router, only used the rules in Shorewall > and it seemed to work just fine and route me over the VPN, which I > also thought how can that be... But I figure I should be opening the > ports that the VPN needs is all. > > So besides the interfaces, policy and rules, to use OpenVPN with a VPN > service like I''ve explained should I use also tunnels, or hosts? Tom > said I need one, not both and I think it was tunnels like this; > > > #TYPE ZONE GATEWAY GATEWAY ZONE > openvpn net 134.28.54.2 > > And I believe he said for the gateway IP, to use the actual IP I''m > connected to... > > > THANKS > > > > > On Sun, Aug 21, 2011 at 12:21 AM, Ed W <lists@wildgooses.com> wrote: >> On 21/08/2011 05:24, Das wrote: >>> So my whole point I''m trying to ask is, when I''m on a VPN why would I >>> still see Shorewall dropping traffic? Because the traffic should not >>> be seeing me, it should see the VPN and this is where I''m confused, >>> it''s like I''m still there visible when I''m not suppose to be... >> >> Random thought, but did you fire up the application BEFORE starting >> openvpn? Presumably it runs some heuristics to figure out what your >> public IP address is, and if this were run before you started openvpn >> then it would be telling your clients the "wrong" address? >> >> Ed W >> >> ------------------------------------------------------------------------------ >> Get a FREE DOWNLOAD! and learn more about uberSVN rich system, >> user administration capabilities and model configuration. Take >> the hassle out of deploying and managing Subversion and the >> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
Sorry I left out the zones; http://pastebin.com/xV77zJA6 So I just use the 4 files is all... THANKS On Sun, Aug 21, 2011 at 12:34 PM, Das <dasfox@gmail.com> wrote:> Sorry typo before, meant to say; > > By the way this is what I have so far; > > > THANKS > > > On Sun, Aug 21, 2011 at 12:33 PM, Das <dasfox@gmail.com> wrote: >> Hi, >> >> No I always start the VPN first then the applications afterwards... >> >> By the this is what I have so far; >> >> Interfaces; >> http://pastebin.com/sDm77XrU >> >> Policy; >> http://pastebin.com/aN0wa3Nw >> >> Rules; >> http://pastebin.com/QLGBBRLG >> >> Even with what I''m using right now, it seems to be working ok, I just >> realized, at least it seems like, that when I''m going over the vpn, >> even though the application uses TCP, since the VPN is UDP I need to >> have that listed in the rules, so you''ll see I added it in as tcp,udp >> and I noticed less problems with the logs flooding dropping then. >> Where as if I just only had tcp, then I''d see at times UDP was being >> dropped and since I added it in, I no longer saw it being dropped. >> >> Strange thing though, I''m sitting behind a nat router and I never >> forwarded the ports on the router, only used the rules in Shorewall >> and it seemed to work just fine and route me over the VPN, which I >> also thought how can that be... But I figure I should be opening the >> ports that the VPN needs is all. >> >> So besides the interfaces, policy and rules, to use OpenVPN with a VPN >> service like I''ve explained should I use also tunnels, or hosts? Tom >> said I need one, not both and I think it was tunnels like this; >> >> >> #TYPE ZONE GATEWAY GATEWAY ZONE >> openvpn net 134.28.54.2 >> >> And I believe he said for the gateway IP, to use the actual IP I''m >> connected to... >> >> >> THANKS >> >> >> >> >> On Sun, Aug 21, 2011 at 12:21 AM, Ed W <lists@wildgooses.com> wrote: >>> On 21/08/2011 05:24, Das wrote: >>>> So my whole point I''m trying to ask is, when I''m on a VPN why would I >>>> still see Shorewall dropping traffic? Because the traffic should not >>>> be seeing me, it should see the VPN and this is where I''m confused, >>>> it''s like I''m still there visible when I''m not suppose to be... >>> >>> Random thought, but did you fire up the application BEFORE starting >>> openvpn? Presumably it runs some heuristics to figure out what your >>> public IP address is, and if this were run before you started openvpn >>> then it would be telling your clients the "wrong" address? >>> >>> Ed W >>> >>> ------------------------------------------------------------------------------ >>> Get a FREE DOWNLOAD! and learn more about uberSVN rich system, >>> user administration capabilities and model configuration. Take >>> the hassle out of deploying and managing Subversion and the >>> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >> >------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
My bad it''s been a crazy week, I promise last one, LOL... Routestopped; http://pastebin.com/LVVLfzwx Ok so all I use is the interfaces, policy, rules, zones, routestopped... THANKS On Sun, Aug 21, 2011 at 1:36 PM, Das <dasfox@gmail.com> wrote:> Sorry I left out the zones; > > http://pastebin.com/xV77zJA6 > > So I just use the 4 files is all... > > > THANKS > > > On Sun, Aug 21, 2011 at 12:34 PM, Das <dasfox@gmail.com> wrote: >> Sorry typo before, meant to say; >> >> By the way this is what I have so far; >> >> >> THANKS >> >> >> On Sun, Aug 21, 2011 at 12:33 PM, Das <dasfox@gmail.com> wrote: >>> Hi, >>> >>> No I always start the VPN first then the applications afterwards... >>> >>> By the this is what I have so far; >>> >>> Interfaces; >>> http://pastebin.com/sDm77XrU >>> >>> Policy; >>> http://pastebin.com/aN0wa3Nw >>> >>> Rules; >>> http://pastebin.com/QLGBBRLG >>> >>> Even with what I''m using right now, it seems to be working ok, I just >>> realized, at least it seems like, that when I''m going over the vpn, >>> even though the application uses TCP, since the VPN is UDP I need to >>> have that listed in the rules, so you''ll see I added it in as tcp,udp >>> and I noticed less problems with the logs flooding dropping then. >>> Where as if I just only had tcp, then I''d see at times UDP was being >>> dropped and since I added it in, I no longer saw it being dropped. >>> >>> Strange thing though, I''m sitting behind a nat router and I never >>> forwarded the ports on the router, only used the rules in Shorewall >>> and it seemed to work just fine and route me over the VPN, which I >>> also thought how can that be... But I figure I should be opening the >>> ports that the VPN needs is all. >>> >>> So besides the interfaces, policy and rules, to use OpenVPN with a VPN >>> service like I''ve explained should I use also tunnels, or hosts? Tom >>> said I need one, not both and I think it was tunnels like this; >>> >>> >>> #TYPE ZONE GATEWAY GATEWAY ZONE >>> openvpn net 134.28.54.2 >>> >>> And I believe he said for the gateway IP, to use the actual IP I''m >>> connected to... >>> >>> >>> THANKS >>> >>> >>> >>> >>> On Sun, Aug 21, 2011 at 12:21 AM, Ed W <lists@wildgooses.com> wrote: >>>> On 21/08/2011 05:24, Das wrote: >>>>> So my whole point I''m trying to ask is, when I''m on a VPN why would I >>>>> still see Shorewall dropping traffic? Because the traffic should not >>>>> be seeing me, it should see the VPN and this is where I''m confused, >>>>> it''s like I''m still there visible when I''m not suppose to be... >>>> >>>> Random thought, but did you fire up the application BEFORE starting >>>> openvpn? Presumably it runs some heuristics to figure out what your >>>> public IP address is, and if this were run before you started openvpn >>>> then it would be telling your clients the "wrong" address? >>>> >>>> Ed W >>>> >>>> ------------------------------------------------------------------------------ >>>> Get a FREE DOWNLOAD! and learn more about uberSVN rich system, >>>> user administration capabilities and model configuration. Take >>>> the hassle out of deploying and managing Subversion and the >>>> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>> >> >------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2