Skip to main content

Thread: Help with OpenVPN + Shorewall pretty please. Internal routing ok, external fails :(

-

i'm trying setup openvpn. i've got vpn work , routing internal network 192.168.30.0/24 seems ok. can't seem route vpn clients can access internet through routers external interface 77.66.55.44.

summary:
* openvpn ok
* internat routing ok
* external routing nok (need help)

i'm hoping can me this.

here's setup on server:

network/interfaces
php code:
# the loopback network interface
auto lo
iface lo inet loopback

# the primary network interface
auto eth1
iface eth1 inet static
        address 77.66.55.44
        netmask 255.255.255.0
        gateway 77.66.55.1

auto eth2
iface eth2 inet static
        address 192.168.30.200
        netmask 255.255.255.0 
openvpn/server.conf
php code:
local 77.66.55.44
proto tcp
port 1194
dev tun
server 192.168.31.0 255.255.255.0
push "route 192.168.30.0 255.255.255.0"
push "dhcp-option dns 192.168.30.200"
push "redirect-gateway def1"
ifconfig-pool-persist ipp.txt
client-to-client
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key

#server keys
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
cipher bf-cbc 
shorewall/interfaces
php code:
net     eth1            detect          dhcp,routefilter,tcpflags,logmartians,nosmurfs
loc     eth2            detect
vpn     ppp+            detect
vpn2    tun0            detect          tcpflags,logmartians,nosmurfs 
shorewall/masq
php code:
#interface              source          address         proto   port(s) ipsec   mark
eth1                    eth2
#last line -- add your entries above this line -- do not remove 
shorewall/policy
php code:
#source         dest            policy          log level       limit:burst
$fw             all             accept  $log
vpn             all             accept  $log
vpn2            all             accept  $log
loc             all             accept  $log
net             all             drop    $log
# the following policy must be last
all             all             reject          -
#last line -- add your entries above this line -- do not remove 
shorewall/rules
php code:
#openvpn
accept:$log             net                             $fw             tcp     1194
accept:$log             net                             $fw             udp     1194
accept:$log             vpn2                            $fw
accept:$log             vpn2                            net

shorewall/tunnels
php code:
pptpserver              net     0.0.0.0/0
openvpnserver:1194      net     0.0.0.0/0
#last line -- add your entries before this one -- do not remove 
shorewall/zones
php code:
fw      firewall
net     ipv4
loc     ipv4
vpn     ipv4
vpn2    ipv4
#last line - add your entries above this one - do not remove 
shorewall/shorewall.conf
php code:
startup_enabled=yes
verbosity=1
shorewall_compiler=
logfile=/var/log/shorewall.log
startup_log=
log_verbosity=
logformat="shorewall:%s:%s:"
logtagonly=no
lograte=
logburst=
logallnew=
blacklist_loglevel=$log
maclist_log_level=$log
tcp_flags_log_level=$log
smurf_log_level=$log
log_martians=yes
iptables=
path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
shorewall_shell=/bin/sh
subsyslock=""
modulesdir=
config_path=/etc/shorewall:/usr/share/shorewall
restorefile=
ipsecfile=zones
lockfile=
drop_default="drop"
reject_default="reject"
accept_default="none"
queue_default="none"
nfqueue_default="none"
rsh_command='ssh ${root}@${system} ${command}'
rcp_command='scp ${files} ${root}@${system}:${destination}'
ip_forwarding=on
add_ip_aliases=yes
add_snat_aliases=no
retain_aliases=no
tc_enabled=internal
tc_expert=no
clear_tc=yes
mark_in_forward_chain=no
clampmss=no
route_filter=yes
detect_dnat_ipaddrs=no
mutex_timeout=60
adminisabsentminded=yes
blacklistnewonly=yes
delayblacklistload=no
module_suffix=
disable_ipv6=yes
bridging=no
dynamic_zones=no
pkttype=yes
rfc1918_strict=no
maclist_table=filter
maclist_ttl=
save_ipsets=no
mapoldactions=no
fastaccept=no
implicit_continue=no
high_route_marks=no
use_actions=yes
optimize=0
exportparams=yes
expand_policies=yes
keep_rt_tables=no
delete_then_add=yes
multicast=no
dont_load=
auto_comment=yes
mangle_enabled=yes
use_default_rt=no
restore_default_route=yes
fast_stop=no
blacklist_disposition=drop
maclist_disposition=reject
tcp_flags_disposition=drop 
and client config (windows computers running openvpn 2.2.3)

php code:
client
dev tun
remote 77.66.55.44 1194
resolv-retry infinite
proto tcp
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
cipher bf-cbc
comp-lzo
verb 3 
as can see shorewall config i'm using pptpd server aswell. want switch openvpn because it's safer , faster.

solved throwing out shorewall , adding

iptables -t nat -i postrouting -o eth1 -j masquerade
iptables -a input -i tun+ -j accept
iptables -a forward -i tun+ -o eth1 -j accept
iptables -a forward -i eth1 -o tun+ -j accept
iptables -a input -p tcp --dport 1194 -j accept
iptables -a input -p udp --dport 1194 -j accept
iptables -a forward -i tun+ -o eth2 -j accept
iptables -a forward -i eth2 -o tun+ -j accept


Forum The Ubuntu Forum Community Ubuntu Specialised Support Ubuntu Servers, Cloud and Juju Server Platforms [ubuntu] Help with OpenVPN + Shorewall pretty please. Internal routing ok, external fails :(


Ubuntu

Comments

Post a Comment

Popular posts from this blog

How to set the order of FAQs instead of alphabetical

-
i have 19 faqs default showing them in alphabetical order.   i dislplay them in different order, weighting this, , how weighting work, is larger number higher priority, question id show first on list need numbered in weight field 19? hey vickituch,   as mentioned, default faq items sorted alphabetically. weighting, can modify order in faq items appear. way weighting works higher number specify, higher priority faq item have. example, if have 3 items each weight specified, priority follows:   99. faq item. 45. faq item. 7. yet faq item More discussions in Content Management and Modules adobe
Read more

Thread: Get UK Keyboard working

-
i using ubuntu desktop on lucid , keyboard changes british keys american keys, #/£, ~/| , "/@ around. in system->preferences->keyboard menu have set keyboard uk. when log via putty uk keys come out right. there other place more configuration required? /vfclistsguy actually settings should enough.. can try setxkbmap -query see current layout settings. Forum The Ubuntu Forum Community Ubuntu Official Flavours Support Desktop Environments [kubuntu] Get UK Keyboard working Ubuntu
Read more

how do I change the e-mail address for my merchant account

-
aloha   i have different primary address paypal account 1 listed merchant account in form   the different address same paypal account different e-mail address   i change responses   how do that?? hi,   you need register email address want paypal account form, current paypal email used form replaced. that, open form, go options -> collect payments. in paypal setup tab, enter new email address , click register.   please let me know if need more assistance.   thanks,   eman fu senior computer scientist adobe systems inc More discussions in Archived Spaces adobe
Read more