Prev: Aquarium
Next: can't see NTFS USB drive
From: dmi on 14 Feb 2006 18:59
Hello All,
I am trying to make the following setup.
Machine "A" is a standalone host, running Shorewall and OpenVPN server.
OpenVPN server is used over /dev/tun0. "A" is running MySQL, httpd,
sshd.
Machine "B" is a any host on the internet, that knows right set of keys
to connect.

In test setup, A (10.0.0.2) and B (10.0.0.127) in the same subnetwork.

When connecting over OpenVPN, A is 10.1.0.1 and B is 10.1.0.6
(automatically).

I defined following zones:
net eth0
vpn tun0
fw firewall

tunnels:
generic:udp:1194 net (to avoid source port blocking issue
http://www.shorewall.net/2.0/FAQ.htm#faq40 )

When Shorewall policy "net $FW ACCEPT" is set, VPN is working fine, all

services accessible. (ie firewall is not blocking anything).

When I am trying to disable that rule (ie actually closing eth0 opened
ports, on 10.0.0.2),
it seems like OpenVPN connection is working (connects fine), but
SSHD/MYSQL etc.
can not reach other party from client.

Simply speaking, with firewall off:
10.1.0.6 ---> 10.1.0.1 works fine
with firewall on:
10.1.0.6 -- waiting until timeout -- 10.1.0.1

What can be the reason?
Thank you for your answers in advance.

From: sami on 14 Feb 2006 22:54
dmi(a)novorado.com wrote:

> Hello All,
> I am trying to make the following setup.
> Machine "A" is a standalone host, running Shorewall and OpenVPN server.
> OpenVPN server is used over /dev/tun0. "A" is running MySQL, httpd,
> sshd.
> Machine "B" is a any host on the internet, that knows right set of keys
> to connect.
>
> In test setup, A (10.0.0.2) and B (10.0.0.127) in the same subnetwork.
>
> When connecting over OpenVPN, A is 10.1.0.1 and B is 10.1.0.6
> (automatically).
>
> I defined following zones:
> net eth0
> vpn tun0
> fw firewall
>
> tunnels:
> generic:udp:1194 net (to avoid source port blocking issue
> http://www.shorewall.net/2.0/FAQ.htm#faq40 )
>
> When Shorewall policy "net $FW ACCEPT" is set, VPN is working fine, all
>
> services accessible. (ie firewall is not blocking anything).
>
> When I am trying to disable that rule (ie actually closing eth0 opened
> ports, on 10.0.0.2),
> it seems like OpenVPN connection is working (connects fine), but
> SSHD/MYSQL etc.
> can not reach other party from client.
>
> Simply speaking, with firewall off:
> 10.1.0.6 ---> 10.1.0.1 works fine
> with firewall on:
> 10.1.0.6 -- waiting until timeout -- 10.1.0.1
>
> What can be the reason?
> Thank you for your answers in advance.


Check what you firewall block.

#tail -f /var/log/syslog
From: dmi on 15 Feb 2006 02:35
sami, thanks for your reply.
i tried that already, no drop messages generated, just like if there is
no routing
i set "drop info, reject info" in policy accordingly.
so, no messages in log (/var/log/messages or LG_LOGFILE in
shorewall.conf)

there are two interfaces (zones): eth0 (net) and tun0 (vpn).
with tunnel set, openvpn always connects successfully (with net open
and closed from outside).

i can not understand why it is interrelated - why closing the net
(eth0) zone blocks connection inside vpn (tun0) pipe ? and why
unblocking net zone "net $FW ACCEPT" make it work ? i do not see any
relationship.

From: dmi on 15 Feb 2006 16:21
I want to report that problem was solved.
It was unrelated with Shorewall, actually.
OpenVPN key get misconfigured and used differed encryption algorithm
than server,
however VPN was still showing ok connect status.
thanks for your help
Dmitry

 | 
Pages: 1
Prev: Aquarium
Next: can't see NTFS USB drive