[Shorewall-users] Some traffic over OpenVPN doesn't work

Discussion:

Klaus Agnoletti

2017-07-03 21:05:40 UTC

Hi,

Let me describe my setup:

I have an opnsense firewall running with OpenVPN at home (WAN ip
is 10.49.141.10 - a crazy IP plan at my provider. It does translate into a
real, routable IP at some point). In the same building on the same switch
(kinda internal, hence the ip) is my Linux server (running Debian 8.8) on
10.49.157.2.

My Linux server runs openvpn client, connecting to my opnsense firewall at
home.

Local LAN at home is 10.20.30.0/24. Local LAN on my Linux server (used for
VMs etc) is 10.20.40.0/24.

OpenVPN tunnel network is 10.100.100.0/24. Opnsense server is 10.100.100.1,
Linux server is 10.100.100.2

Some weird stuff is going on. I have followed the instructions on
http://shorewall.net/OPENVPN.html and allowed all traffic between the two
subnets. Yet some OpenVPN traffic is blocked and I can't send traffic over
VPN from the Linux server itself. However, the VMs running on the Linux
server can, and I can send traffic to the VMs from my home LAN over the vpn
as well.

I see a lot of firewall messages like this:

[466008.549077] Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=10.100.100.2
DST=10.100.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50286 DF PROTO=ICMP
TYPE=8 CODE=0 ID=21078 SEQ=1

[466075.669821] Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=10.100.100.2
DST=10.20.30.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=46799 DF PROTO=ICMP
TYPE=8 CODE=0 ID=21102 SEQ=1

When I try to ping from my Linux server to the opnsense firewall's internal
LAN ip (10.20.30.1) or the remote end of the tunnel network. And I don't
understand that. I am guessing that is why I can't ping.

Can anyone help me out?

I have attached the shorewall dump as requested in the posting instructions.

Thanks,

/klaus

Tom Eastep

2017-07-03 22:53:19 UTC

Permalink

Post by Klaus Agnoletti
Hi,
I have an opnsense firewall running with OpenVPN at home (WAN ip
is 10.49.141.10 - a crazy IP plan at my provider. It does translate into
a real, routable IP at some point). In the same building on the same
switch (kinda internal, hence the ip) is my Linux server (running Debian
8.8) on 10.49.157.2.
My Linux server runs openvpn client, connecting to my opnsense firewall
at home.
Local LAN at home is 10.20.30.0/24 <http://10.20.30.0/24>. Local LAN on
my Linux server (used for VMs etc) is 10.20.40.0/24 <http://10.20.40.0/24>.
OpenVPN tunnel network is 10.100.100.0/24 <http://10.100.100.0/24>.
Opnsense server is 10.100.100.1, Linux server is 10.100.100.2
Some weird stuff is going on. I have followed the instructions
on http://shorewall.net/OPENVPN.html and allowed all traffic between the
two subnets. Yet some OpenVPN traffic is blocked and I can't send
traffic over VPN from the Linux server itself. However, the VMs running
on the Linux server can, and I can send traffic to the VMs from my home
LAN over the vpn as well.
[466008.549077] Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=10.100.100.2
DST=10.100.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50286 DF PROTO=ICMP
TYPE=8 CODE=0 ID=21078 SEQ=1
[466075.669821] Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=10.100.100.2
DST=10.20.30.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=46799 DF PROTO=ICMP
TYPE=8 CODE=0 ID=21102 SEQ=1
When I try to ping from my Linux server to the opnsense firewall's
internal LAN ip (10.20.30.1) or the remote end of the tunnel network.
And I don't understand that. I am guessing that is why I can't ping.
Can anyone help me out?
I have attached the shorewall dump as requested in the posting instructions.

Your fw->vpn policy is REJECT and you have no Ping(ACCEPT) rule from
fw->vpn.

-Tom

--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________

Klaus Agnoletti

2017-07-04 04:50:49 UTC

Permalink

Ah! Of course!

I would more say that the policies aren't there, so there's no specific
ACCEPT. But now there is, and thanks for pointing that out - it appears to
work now.

Thanks for saving my headache :-)

/klaus

Post by Klaus Agnoletti

http://10.20.40.0/24>.

Post by Klaus Agnoletti
OpenVPN tunnel network is 10.100.100.0/24 <http://10.100.100.0/24>.
Opnsense server is 10.100.100.1, Linux server is 10.100.100.2
Some weird stuff is going on. I have followed the instructions
on http://shorewall.net/OPENVPN.html and allowed all traffic between the
two subnets. Yet some OpenVPN traffic is blocked and I can't send
traffic over VPN from the Linux server itself. However, the VMs running
on the Linux server can, and I can send traffic to the VMs from my home
LAN over the vpn as well.
[466008.549077] Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=10.100.100.2
DST=10.100.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50286 DF PROTO=ICMP
TYPE=8 CODE=0 ID=21078 SEQ=1
[466075.669821] Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=10.100.100.2
DST=10.20.30.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=46799 DF PROTO=ICMP
TYPE=8 CODE=0 ID=21102 SEQ=1
When I try to ping from my Linux server to the opnsense firewall's
internal LAN ip (10.20.30.1) or the remote end of the tunnel network.
And I don't understand that. I am guessing that is why I can't ping.
Can anyone help me out?
I have attached the shorewall dump as requested in the posting

instructions.
Your fw->vpn policy is REJECT and you have no Ping(ACCEPT) rule from
fw->vpn.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users