Discussion:
[Shorewall-users] Basic openvpnclient setup
Thomas Fjellstrom
2017-01-25 15:23:07 UTC
Permalink
Hi.

I'm having a minor problem setting up shorewall to properly route and allow
openvpn traffic through my firewall.

I'd like the openvpn client to be running on the firewall, and allow local
machines to connect to and communicate with the private subnet on the other
side of the vpn, but not allow new traffic from the other side into my lan.

So far I have traffic that is getting sent out my public connection to the
openvpn server, but nothing comes back according to `tcpdump -i extIF host
VPNGATEWAY`. Nothing shows up in the logs stating traffic has been blocked.
policy is set up to log on the final DROP and REJECT rules.
--
Thomas Fjellstrom
***@fjellstrom.ca
Robert K Coffman Jr. -Info From Data Corp.
2017-01-25 15:59:43 UTC
Permalink
Post by Thomas Fjellstrom
So far I have traffic that is getting sent out my public connection to the
openvpn server, but nothing comes back according to `tcpdump -i extIF host
VPNGATEWAY`. Nothing shows up in the logs stating traffic has been blocked.
policy is set up to log on the final DROP and REJECT rules.
Does the server have a route directive for your private LAN? Does it
also have a CCD file set up?

There is a lot more that can cause this, but this is a good place to start.

- Bob
Thomas Fjellstrom
2017-01-25 16:17:51 UTC
Permalink
On Wednesday, January 25, 2017 10:59:43 AM MST Robert K Coffman Jr. -Info From
Post by Robert K Coffman Jr. -Info From Data Corp.
Post by Thomas Fjellstrom
So far I have traffic that is getting sent out my public connection to the
openvpn server, but nothing comes back according to `tcpdump -i extIF host
VPNGATEWAY`. Nothing shows up in the logs stating traffic has been blocked.
policy is set up to log on the final DROP and REJECT rules.
Does the server have a route directive for your private LAN? Does it
also have a CCD file set up?
There is a lot more that can cause this, but this is a good place to start.
I don't have control of the VPN side, but it works fine connecting through to
it via Network-Manager.
Post by Robert K Coffman Jr. -Info From Data Corp.
- Bob
----------------------------------------------------------------------------
-- Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Thomas Fjellstrom
***@fjellstrom.ca
Roberto C. Sánchez
2017-01-25 15:54:23 UTC
Permalink
Post by Thomas Fjellstrom
Hi.
I'm having a minor problem setting up shorewall to properly route and allow
openvpn traffic through my firewall.
I'd like the openvpn client to be running on the firewall, and allow local
machines to connect to and communicate with the private subnet on the other
side of the vpn, but not allow new traffic from the other side into my lan.
So far I have traffic that is getting sent out my public connection to the
openvpn server, but nothing comes back according to `tcpdump -i extIF host
VPNGATEWAY`. Nothing shows up in the logs stating traffic has been blocked.
policy is set up to log on the final DROP and REJECT rules.
Hi Thomas,

What you are describing sounds like a three interface setup. There is a
HOWTO here:

http://shorewall.net/three-interface.htm

You will have local and net zones like in the HOWTO. The main
difference is that instead of a DMZ zone you will have a VPN zone, which
it sounds like you want to treat sort of like a net zone (traffic is OK
to go from your local network to that zone, but not the other way
around). It should be just a matter of ensuring you have forwarding (I
assume you do or you would have other problems), the right policy (loc
-> vpn == OK), and possibly masquerading (depending on the address
ranges involved).

Regards,

-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Thomas Fjellstrom
2017-01-25 16:18:11 UTC
Permalink
Post by Roberto C. Sánchez
Post by Thomas Fjellstrom
Hi.
I'm having a minor problem setting up shorewall to properly route and allow
openvpn traffic through my firewall.
I'd like the openvpn client to be running on the firewall, and allow local
machines to connect to and communicate with the private subnet on the other
side of the vpn, but not allow new traffic from the other side into my lan.
So far I have traffic that is getting sent out my public connection to the
openvpn server, but nothing comes back according to `tcpdump -i extIF host
VPNGATEWAY`. Nothing shows up in the logs stating traffic has been blocked.
policy is set up to log on the final DROP and REJECT rules.
Hi Thomas,
What you are describing sounds like a three interface setup. There is a
http://shorewall.net/three-interface.htm
You will have local and net zones like in the HOWTO. The main
difference is that instead of a DMZ zone you will have a VPN zone, which
it sounds like you want to treat sort of like a net zone (traffic is OK
to go from your local network to that zone, but not the other way
around). It should be just a matter of ensuring you have forwarding (I
assume you do or you would have other problems), the right policy (loc
-> vpn == OK), and possibly masquerading (depending on the address
ranges involved).
I'll take a look at that and report back! Thanks!
Post by Roberto C. Sánchez
Regards,
-Roberto
--
Thomas Fjellstrom
***@fjellstrom.ca
Thomas Fjellstrom
2017-01-25 16:56:13 UTC
Permalink
Post by Thomas Fjellstrom
Post by Roberto C. Sánchez
Post by Thomas Fjellstrom
Hi.
I'm having a minor problem setting up shorewall to properly route and allow
openvpn traffic through my firewall.
I'd like the openvpn client to be running on the firewall, and allow local
machines to connect to and communicate with the private subnet on the other
side of the vpn, but not allow new traffic from the other side into my lan.
So far I have traffic that is getting sent out my public connection to the
openvpn server, but nothing comes back according to `tcpdump -i extIF host
VPNGATEWAY`. Nothing shows up in the logs stating traffic has been blocked.
policy is set up to log on the final DROP and REJECT rules.
Hi Thomas,
What you are describing sounds like a three interface setup. There is a
http://shorewall.net/three-interface.htm
You will have local and net zones like in the HOWTO. The main
difference is that instead of a DMZ zone you will have a VPN zone, which
it sounds like you want to treat sort of like a net zone (traffic is OK
to go from your local network to that zone, but not the other way
around). It should be just a matter of ensuring you have forwarding (I
assume you do or you would have other problems), the right policy (loc
-> vpn == OK), and possibly masquerading (depending on the address
ranges involved).
I'll take a look at that and report back! Thanks!
I'm basically getting what I had before:

lan# ping VPNINTHOST

fw# tcpdump -i eth0 host VPNGW
09:46:47.622220 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:48.646222 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:50.665662 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:51.686162 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:52.710196 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:54.729324 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:55.750166 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:56.774188 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:56.830549 IP VPNGWIP.openvpn > MYIP.57800: UDP, length 69

and thats it. many packets go out, very few come back.

The vpn works fine via an openvpn client connection through NetworkManager on a
local lan computer. But so far not having luck setting it up on the firewall.
Post by Thomas Fjellstrom
Post by Roberto C. Sánchez
Regards,
-Roberto
--
Thomas Fjellstrom
***@fjellstrom.ca
Roberto C. Sánchez
2017-01-25 17:31:22 UTC
Permalink
Post by Thomas Fjellstrom
lan# ping VPNINTHOST
fw# tcpdump -i eth0 host VPNGW
09:46:47.622220 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:48.646222 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:50.665662 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:51.686162 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:52.710196 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:54.729324 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:55.750166 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:56.774188 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:56.830549 IP VPNGWIP.openvpn > MYIP.57800: UDP, length 69
and thats it. many packets go out, very few come back.
The vpn works fine via an openvpn client connection through NetworkManager on a
local lan computer. But so far not having luck setting it up on the firewall.
This sounds like an OpenVPN routing problem. Have you compared the
configurations you are using via NetworkManager and the CLI client?

Regards,

-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Thomas Fjellstrom
2017-01-25 18:01:14 UTC
Permalink
Post by Roberto C. Sánchez
Post by Thomas Fjellstrom
lan# ping VPNINTHOST
fw# tcpdump -i eth0 host VPNGW
09:46:47.622220 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:48.646222 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:50.665662 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:51.686162 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:52.710196 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:54.729324 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:55.750166 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:56.774188 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:56.830549 IP VPNGWIP.openvpn > MYIP.57800: UDP, length 69
and thats it. many packets go out, very few come back.
The vpn works fine via an openvpn client connection through NetworkManager
on a local lan computer. But so far not having luck setting it up on the
firewall.
This sounds like an OpenVPN routing problem. Have you compared the
configurations you are using via NetworkManager and the CLI client?
They were very close, I've now made them match and have the same results.
Post by Roberto C. Sánchez
Regards,
-Roberto
--
Thomas Fjellstrom
***@fjellstrom.ca
Tom Eastep
2017-01-25 18:17:47 UTC
Permalink
Post by Thomas Fjellstrom
On Wed, Jan 25, 2017 at 09:56:13AM -0700, Thomas Fjellstrom
Post by Thomas Fjellstrom
lan# ping VPNINTHOST
fw# tcpdump -i eth0 host VPNGW 09:46:47.622220 IP MYIP.57800 >
149.56.251.50.openvpn: UDP, length 85 09:46:48.646222 IP
MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:50.665662 IP MYIP.57800 > 149.56.251.50.openvpn: UDP,
length 85 09:46:51.686162 IP MYIP.57800 >
149.56.251.50.openvpn: UDP, length 85 09:46:52.710196 IP
MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:54.729324 IP MYIP.57800 > 149.56.251.50.openvpn: UDP,
length 85 09:46:55.750166 IP MYIP.57800 >
149.56.251.50.openvpn: UDP, length 85 09:46:56.774188 IP
MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:56.830549 IP VPNGWIP.openvpn > MYIP.57800: UDP, length
69
and thats it. many packets go out, very few come back.
The vpn works fine via an openvpn client connection through
NetworkManager on a local lan computer. But so far not having
luck setting it up on the firewall.
This sounds like an OpenVPN routing problem. Have you compared
the configurations you are using via NetworkManager and the CLI
client?
They were very close, I've now made them match and have the same results.
I suspect that in your OpenVPN config, you need to push a route to
your local LAN, so that the remote endpoint knows to route traffic to
that LAN through the VPN.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Thomas Fjellstrom
2017-01-25 19:08:36 UTC
Permalink
Post by Tom Eastep
On Wednesday, January 25, 2017 12:31:22 PM MST Roberto C. Sánchez
On Wed, Jan 25, 2017 at 09:56:13AM -0700, Thomas Fjellstrom
Post by Thomas Fjellstrom
lan# ping VPNINTHOST
fw# tcpdump -i eth0 host VPNGW 09:46:47.622220 IP MYIP.57800 >
149.56.251.50.openvpn: UDP, length 85 09:46:48.646222 IP
MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:50.665662 IP MYIP.57800 > 149.56.251.50.openvpn: UDP,
length 85 09:46:51.686162 IP MYIP.57800 >
149.56.251.50.openvpn: UDP, length 85 09:46:52.710196 IP
MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:54.729324 IP MYIP.57800 > 149.56.251.50.openvpn: UDP,
length 85 09:46:55.750166 IP MYIP.57800 >
149.56.251.50.openvpn: UDP, length 85 09:46:56.774188 IP
MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:56.830549 IP VPNGWIP.openvpn > MYIP.57800: UDP, length 69
and thats it. many packets go out, very few come back.
The vpn works fine via an openvpn client connection through
NetworkManager on a local lan computer. But so far not having
luck setting it up on the firewall.
This sounds like an OpenVPN routing problem. Have you compared
the configurations you are using via NetworkManager and the CLI
client?
They were very close, I've now made them match and have the same results.
I suspect that in your OpenVPN config, you need to push a route to
your local LAN, so that the remote endpoint knows to route traffic to
that LAN through the VPN.
Routes are getting pushed from the vpn server, and being setup on the firewall,
and pings from a lan host get sent out over the vpn connection, which can be
seen from the tcpdump log as traveling over the openvpn port on the wan
connection.

I've been looking at various openvpn guides and such, but so far there doesn't
seem to be a way for me to push up a route to the server if it isnt already
configured to allow it.
Post by Tom Eastep
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
----------------------------------------------------------------------------
-- Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Thomas Fjellstrom
***@fjellstrom.ca
Thomas Fjellstrom
2017-01-25 19:23:28 UTC
Permalink
Post by Thomas Fjellstrom
Post by Tom Eastep
On Wednesday, January 25, 2017 12:31:22 PM MST Roberto C. Sánchez
On Wed, Jan 25, 2017 at 09:56:13AM -0700, Thomas Fjellstrom
Post by Thomas Fjellstrom
lan# ping VPNINTHOST
fw# tcpdump -i eth0 host VPNGW 09:46:47.622220 IP MYIP.57800 >
149.56.251.50.openvpn: UDP, length 85 09:46:48.646222 IP
MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:50.665662 IP MYIP.57800 > 149.56.251.50.openvpn: UDP,
length 85 09:46:51.686162 IP MYIP.57800 >
149.56.251.50.openvpn: UDP, length 85 09:46:52.710196 IP
MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:54.729324 IP MYIP.57800 > 149.56.251.50.openvpn: UDP,
length 85 09:46:55.750166 IP MYIP.57800 >
149.56.251.50.openvpn: UDP, length 85 09:46:56.774188 IP
MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85
09:46:56.830549 IP VPNGWIP.openvpn > MYIP.57800: UDP, length 69
and thats it. many packets go out, very few come back.
The vpn works fine via an openvpn client connection through
NetworkManager on a local lan computer. But so far not having
luck setting it up on the firewall.
This sounds like an OpenVPN routing problem. Have you compared
the configurations you are using via NetworkManager and the CLI
client?
They were very close, I've now made them match and have the same results.
I suspect that in your OpenVPN config, you need to push a route to
your local LAN, so that the remote endpoint knows to route traffic to
that LAN through the VPN.
Routes are getting pushed from the vpn server, and being setup on the
firewall, and pings from a lan host get sent out over the vpn connection,
which can be seen from the tcpdump log as traveling over the openvpn port
on the wan connection.
I've been looking at various openvpn guides and such, but so far there
doesn't seem to be a way for me to push up a route to the server if it isnt
already configured to allow it.
Ok, a quick check shows the firewall can ping and recieves responses, but I
presume its just comming back from tun0.

I presume I have the wrong masq settings? I haven't really figured what
interface and source I should be using.

$NET_IF VPN_NET

or

tun0 VPN_NET

?
Post by Thomas Fjellstrom
Post by Tom Eastep
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
--------------------------------------------------------------------------
-- -- Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Thomas Fjellstrom
***@fjellstrom.ca
Robert K Coffman Jr. -Info From Data Corp.
2017-01-25 19:36:23 UTC
Permalink
Post by Thomas Fjellstrom
tun0 VPN_NET
Your source would be your local LAN, and I believe you want to
masquerade the traffic through tun0 if that is the tunnel you are using:

tun0 eth1 (or some variation that defines your local LAN)


- Bob
Thomas Fjellstrom
2017-01-25 19:43:24 UTC
Permalink
On Wednesday, January 25, 2017 2:36:23 PM MST Robert K Coffman Jr. -Info From
Post by Robert K Coffman Jr. -Info From Data Corp.
Post by Thomas Fjellstrom
tun0 VPN_NET
Your source would be your local LAN, and I believe you want to
tun0 eth1 (or some variation that defines your local LAN)
Ahh, thank you! That seems to work.

I appreciate it!
Post by Robert K Coffman Jr. -Info From Data Corp.
- Bob
----------------------------------------------------------------------------
-- Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Thomas Fjellstrom
***@fjellstrom.ca
Robert K Coffman Jr. -Info From Data Corp.
2017-01-25 19:29:09 UTC
Permalink
Post by Thomas Fjellstrom
seem to be a way for me to push up a route to the server
That doesn't seem to be desirable behavior - any client could
effectively DOS the box. The admin of the server needs to make that change.

- Bob
Thomas Fjellstrom
2017-01-25 19:34:37 UTC
Permalink
On Wednesday, January 25, 2017 2:29:09 PM MST Robert K Coffman Jr. -Info From
Post by Robert K Coffman Jr. -Info From Data Corp.
Post by Thomas Fjellstrom
seem to be a way for me to push up a route to the server
That doesn't seem to be desirable behavior - any client could
effectively DOS the box. The admin of the server needs to make that change.
Yeah, It doesn't make a lot of sense if you care about security at all.
Post by Robert K Coffman Jr. -Info From Data Corp.
- Bob
----------------------------------------------------------------------------
-- Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Thomas Fjellstrom
***@fjellstrom.ca
Tom Eastep
2017-01-25 20:59:10 UTC
Permalink
Post by Robert K Coffman Jr. -Info From Data Corp.
Post by Thomas Fjellstrom
seem to be a way for me to push up a route to the server
That doesn't seem to be desirable behavior - any client could
effectively DOS the box. The admin of the server needs to make that change.
Yes, that occurred to me as I was on my daily walk :-)

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Loading...