[Wylug-help] openvpn -> shorewall problem

Mon Aug 23 12:14:50 BST 2004

Gary,

I'm not familiar with OpenVPN - does it use PPP over a tunnel to provide
the VPN? If so what are your PPP settings?

If your home machine is provided with an IP address on your work lan, the
VPN server must proxy arp for that IP address, otherwise, things on the
network won't know where to send their reply packets.

Jim

On Fri, 20 Aug 2004, Gary Stainburn wrote:

> Hi folks.
>
> I'm setting up a VPN from home to work using OpenVPN from my laptop to a
> machine already set up at work using shorewall to control access.
>
> OpenVPN tool minutes to download/build/install and minutes to configure.
> Everything's tickey boo there (I think).  From each end I can ping the remote
> end of the VPN and the machine hosting it (VPN IP and host IP).
>
> However, I can't get in past the machine at work into the work network.  I
> asume that this is a shorewall problem but I can't see what else I need to
> do.  I've included config file extracts below.
>
> Anyong got a clue?
>
> interfaces
> ~~~~~~~~
> loc     eth0    detect
> dmz     eth1    detect
> vpn     tun0
> net     eth2    detect          norfc1918,routefilter
>
> Policy
> ~~~~~~
> loc             net             ACCEPT
> dmz             net             ACCEPT
> loc             dmz             ACCEPT
> fw              net             ACCEPT
> vpn             loc             ACCEPT
> loc             vpn             ACCEPT
> vpn             fw              ACCEPT
> fw              vpn             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
>
> masq
> ~~~~
> eth2                    eth0
>
> tunnels
> ~~~~~~
> openvpn                 net     80.229.164.202
>
> zones
> ~~~~~
> net     Net             Internet
> loc     Local           Local networks
> dmz     DMZ             Demilitarized zone
> vpn     VPN             VPN
>
> shorewall.conf
> ~~~~~~~~~~~~
> LOGFILE=/var/log/messages
> LOGFORMAT="Shorewall:%s:%s:"
> LOGRATE=
> LOGBURST=
> BLACKLIST_LOGLEVEL=
> LOGNEWNOTSYN=info
> MACLIST_LOG_LEVEL=info
> TCP_FLAGS_LOG_LEVEL=info
> RFC1918_LOG_LEVEL=info
> SMURF_LOG_LEVEL=info
> BOGON_LOG_LEVEL=info
> PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
> SHOREWALL_SHELL=/bin/sh
> SUBSYSLOCK=/var/lock/subsys/shorewall
> STATEDIR=/var/lib/shorewall
> MODULESDIR=
> FW=fw
> IP_FORWARDING=On
> ADD_IP_ALIASES=Yes
> ADD_SNAT_ALIASES=No
> TC_ENABLED=No
> CLEAR_TC=Yes
> MARK_IN_FORWARD_CHAIN=No
> CLAMPMSS=No
> ROUTE_FILTER=No
> DETECT_DNAT_IPADDRS=No
> MUTEX_TIMEOUT=60
> NEWNOTSYN=Yes
> ADMINISABSENTMINDED=Yes
> BLACKLISTNEWONLY=Yes
> MODULE_SUFFIX=
> BRIDGING=No
> BLACKLIST_DISPOSITION=DROP
> MACLIST_DISPOSITION=REJECT
> TCP_FLAGS_DISPOSITION=DROP
>
> --
> Gary Stainburn
>
> This email does not contain private or confidential material as it
> may be snooped on by interested government parties for unknown
> and undisclosed purposes - Regulation of Investigatory Powers Act, 2000
>
>
> _______________________________________________
> Wylug-help mailing list
> Wylug-help at wylug.org.uk
> http://list.wylug.org.uk/mailman/listinfo/wylug-help
>