[Wylug-help] openvpn -> shorewall problem

Gary Stainburn gary.stainburn at ringways.co.uk
Fri Aug 20 15:50:18 BST 2004


Hi folks.

I'm setting up a VPN from home to work using OpenVPN from my laptop to a
machine already set up at work using shorewall to control access.

OpenVPN tool minutes to download/build/install and minutes to configure.
Everything's tickey boo there (I think).  From each end I can ping the remote
end of the VPN and the machine hosting it (VPN IP and host IP).

However, I can't get in past the machine at work into the work network.  I
asume that this is a shorewall problem but I can't see what else I need to
do.  I've included config file extracts below.

Anyong got a clue?

interfaces
~~~~~~~~
loc     eth0    detect
dmz     eth1    detect
vpn     tun0
net     eth2    detect          norfc1918,routefilter

Policy
~~~~~~
loc             net             ACCEPT
dmz             net             ACCEPT
loc             dmz             ACCEPT
fw              net             ACCEPT
vpn             loc             ACCEPT
loc             vpn             ACCEPT
vpn             fw              ACCEPT
fw              vpn             ACCEPT
net             all             DROP            info
all             all             REJECT          info

masq
~~~~
eth2                    eth0

tunnels
~~~~~~
openvpn                 net     80.229.164.202

zones
~~~~~
net     Net             Internet
loc     Local           Local networks
dmz     DMZ             Demilitarized zone
vpn     VPN             VPN

shorewall.conf
~~~~~~~~~~~~
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGRATE=
LOGBURST=
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
BOGON_LOG_LEVEL=info
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIR=
FW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
TC_ENABLED=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
MODULE_SUFFIX=
BRIDGING=No
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP

--
Gary Stainburn

This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000





More information about the Wylug-help mailing list