RE: [Openvpn-users] openvpn / shorewall problem: unable to ping

["Davis Goodman" <davis.goodman@xxxxxxxxxxxx>]

> -----Original Message-----
> From: openvpn-users-admin@xxxxxxxxxxxxxxxxxxxxx 
> [mailto:openvpn-users-admin@xxxxxxxxxxxxxxxxxxxxx] On Behalf 
> Of diederik@xxxxxxxxxxx
> Sent: 12 juillet 2005 07:22
> To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: [Openvpn-users] openvpn / shorewall problem: unable to ping
> 
> Hi,
> I have been trying to get my openVPN setup to work. I have a debian
> (unstable) server running a shorewall firewall, and a windows 
> XP laptop, with wich I want to connect savely to my server 
> when I'm on the road.
> I have folloewed this howto: http://www.shorewall.net/OPENVPN.html
> 
> I guess openVPN it self is working properly, since I can 
> connect from my laptop to the server. My laptop is receiving 
> an ip adress from the server (10.0.16.6).
> 
> I will now post some info from my ser:
> 
> # ifconfig
> eth0      Link encap:Ethernet  HWaddr 00:40:F4:6B:21:CF
>           inet addr:xxx  Bcast:xxx  Mask:255.255.255.0
>           inet6 addr: xxx Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:8158708 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:5684185 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:426469951 (406.7 MiB)  TX bytes:710574606 
> (677.6 MiB)
>           Interrupt:169 Base address:0xec00
> 
> eth1      Link encap:Ethernet  HWaddr 00:0C:6E:26:F3:1B
>           inet addr:192.168.0.1  Bcast:192.168.0.255  
> Mask:255.255.255.0
>           inet6 addr: fe80::20c:6eff:fe26:f31b/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:11979181 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:14446842 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:2289081185 (2.1 GiB)  TX bytes:2236465872 (2.0 GiB)
>           Interrupt:177 Base address:0xdc00
> 
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:106572 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:106572 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:34849141 (33.2 MiB)  TX bytes:34849141 (33.2 MiB)
> 
> tun0      Link encap:UNSPEC  HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>           inet addr:10.0.16.1  P-t-P:10.0.16.2  Mask:255.255.255.255
>           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>           RX packets:25 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:1500 (1.4 KiB)  TX bytes:704 (704.0 b)
> 
> # route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric 
> Ref    Use Iface
> 10.0.16.2       *               255.255.255.255 UH    0      
> 0        0 tun0
> 10.0.16.0       10.0.16.2       255.255.255.0   UG    0      
> 0        0 tun0
> localnet        *               255.255.255.0   U     0      
> 0        0 eth1
> 83.160.231.0    *               255.255.255.0   U     0      
> 0        0 eth0
> default         babyxl-colo-gn- 0.0.0.0         UG    0      
> 0        0 eth0
> 
> # ping 10.0.16.6
> PING 10.0.16.6 (10.0.16.6) 56(84) bytes of data.
> From 10.0.16.1 icmp_seq=1 Destination Host Unreachable From 
> 10.0.16.1 icmp_seq=1 Destination Host Unreachable From 
> 10.0.16.1 icmp_seq=1 Destination Host Unreachable From 
> 10.0.16.1 icmp_seq=1 Destination Host Unreachable From 
> 10.0.16.1 icmp_seq=1 Destination Host Unreachable From 
> 10.0.16.1 icmp_seq=1 Destination Host Unreachable
> ping: sendmsg: Operation not permitted
> From 10.0.16.1 icmp_seq=2 Destination Host Unreachable
> ping: sendmsg: Operation not permitted
> From 10.0.16.1 icmp_seq=3 Destination Host Unreachable
> ping: sendmsg: Operation not permitted
> From 10.0.16.1 icmp_seq=4 Destination Host Unreachable
> ping: sendmsg: Operation not permitted
> 
> --- 10.0.16.6 ping statistics ---
> 4 packets transmitted, 0 received, +9 errors, 100% packet 
> loss, time 3060ms
---snip--
> 
> 
> Some info from my laptop:
> 
> ipconfig /all
> Ethernet adapter VPN:
> 
>         Connection-specific DNS Suffix  . :
>         Description . . . . . . . . . . . : TAP-Win32 Adapter V8
>         Physical Address. . . . . . . . . : 00-FF-0D-3A-A1-CE
>         Dhcp Enabled. . . . . . . . . . . : Yes
>         Autoconfiguration Enabled . . . . : Yes
>         IP Address. . . . . . . . . . . . : 10.0.16.6
>         Subnet Mask . . . . . . . . . . . : 255.255.255.252
>         Default Gateway . . . . . . . . . :
>         DHCP Server . . . . . . . . . . . : 10.0.16.5
>         Lease Obtained. . . . . . . . . . : maandag 11 juli 
> 2005 19:54:55
>         Lease Expires . . . . . . . . . . : dinsdag 11 juli 
> 2006 19:54:55
> 
> C:\Documents and Settings\diederik>route PRINT
> 
> ==============================================================
> ==========
> Active Routes:
> Network Destination        Netmask          Gateway       
> Interface  Metric
>           0.0.0.0          0.0.0.0      192.168.0.1    
> 192.168.0.11       30
>         10.0.16.0    255.255.255.0        10.0.16.5       
> 10.0.16.6       1
>         10.0.16.4  255.255.255.252        10.0.16.6       
> 10.0.16.6       30
>         10.0.16.6  255.255.255.255        127.0.0.1       
> 127.0.0.1       30
>    10.255.255.255  255.255.255.255        10.0.16.6       
> 10.0.16.6       30
>         127.0.0.0        255.0.0.0        127.0.0.1       
> 127.0.0.1       1
>       192.168.0.0    255.255.255.0     192.168.0.11    
> 192.168.0.11       30
>      192.168.0.11  255.255.255.255        127.0.0.1       
> 127.0.0.1       30
>     192.168.0.255  255.255.255.255     192.168.0.11    
> 192.168.0.11       30
>         224.0.0.0        240.0.0.0        10.0.16.6       
> 10.0.16.6       30
>         224.0.0.0        240.0.0.0     192.168.0.11    
> 192.168.0.11       30
>   255.255.255.255  255.255.255.255        10.0.16.6           
>     2       1
>   255.255.255.255  255.255.255.255        10.0.16.6       
> 10.0.16.6       1
>   255.255.255.255  255.255.255.255     192.168.0.11    
> 192.168.0.11       1
> Default Gateway:       192.168.0.1
> ==============================================================
> =============
> Persistent Routes:
>   None
> 
> 
> To make my post complete I'll post my config files
> 
> /etc/openvpn/server.conf
> dev tun
> server 10.0.16.0 255.255.255.0
> 
> dh dh1024.pem
> ca ca.crt
> cert server.crt
> key server.key  # This file should be kept secret
> 
> port 1194
> ifconfig-pool-persist ipp.txt
> client-to-client
> comp-lzo
> max-clients 5
> user  nobody
> group nogroup
> persist-key
> persist-tun
> 
> ping            15
> ping-restart    45
> ping-timer-rem
> 
> status openvpn-status.log
> log         /var/log/openvpn/openvpn.log
> log-append  /var/log/openvpn/openvpn.log verb
> 
> 
> /etc/shorewall/interfaces
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth0            detect  dhcp
> road    tun0
> loc     eth1            192.168.0.255   tcpflags
> 
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> 
> /etc/shorewall/masq
> ##############################################################
> ################
> #INTERFACE              SUBNET          ADDRESS
> eth0                    eth1
> 
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> 
> /etc/shorewall/policy
> #SOURCE         DEST            POLICY          LOG LEVEL     
>   LIMIT:BURST
> loc             net             ACCEPT
> loc             fw              ACCEPT
> fw              net             ACCEPT
> fw              loc             ACCEPT
> 
> road            loc             ACCEPT
> loc             road            ACCEPT
> 
> net             all             DROP            info
> 
> # THE FOLLOWING POLICY MUST BE LAST
> all             all             REJECT          info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> 
> /etc/shorewall/tunnels
> #TYPE         ZONE           GATEWAY        GATEWAY ZONE
> openvpn:1194  net            0.0.0.0/0
> 
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> 
> /etc/shorewall/zones
> #ZONE   DISPLAY         COMMENTS
> net     Net             Internet
> loc     Local           Local Networks
> road    Roadwarrior     Remote clients
> 
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> C:\Program Files\OpenVPN\config\client.ovpn ca ca.crt cert 
> diederik.crt key diederik.key
> 
> dev tun
> remote 192.168.0.1
> 
> tls-client
> pull
> 
> port 1194
> #user nobody
> #group nogroup
> 
> comp-lzo
> 
> ping 15
> ping-restart 45
> ping-timer-rem
> persist-tun
> persist-key
> 
> verb 3
> 

Hi Diederik,

Here are some of my shorewall config which works for me. It might be of some
help.

In the zones file I have:

#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local networks
dmz     DMZ             Demilitarized zone
ovpn    OpenVPN         Remote Users through OpenVPN

In the interface file:

net     eth0    detect  norfc1918,routefilter,blacklist
loc     eth1    detect  dhcp
dmz     eth2    detect
ovpn    tun0    -


In the policy file:

ovpn            net             ACCEPT
ovpn            loc             ACCEPT
ovpn            dmz             ACCEPT

And in masq:

eth0    eth1
eth0    eth2                            xx.xx.xx.xx    tcp     smtp
eth0    eth2                            xx.xx.xx.xx
eth0    eth3
eth0    10.xx.21.0/24
eth0    10.xx.22.0/24

Hope this helps,

Davis


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users