I think it is a FAQ as configuration problem, but I
can't have it working in my installation (a very similar configuration
works fine for other 2 couple of nets)
Situation:
_________ NET _______
/ a.b.c.d \ e.f.g.h
RTR-FW1 RTR-FW2
/ \
/ 192.168.189.1/24 \ 192.168.117.5/24
LinuxGW1 (10.8.0.1/24) LinuxGW2 (10.8.0.2/24)
| 10.0.0.250/24 | 192.168.107.5/24
/ \ / \
Win11 Lin12 Win21 Win22
Obviously I want the servers into the 2 LANs behind the LinuxGW1 & 2 can
freely communicate.
At the moment I have that from LinuxGW2 I can reach all the hosts in LAN1,
but from the hosts in LAN2 (that have LinuxGW2 as default GW), I can't
reach LAN1. And LAN1 can't reach LAN2
If I install an OpenVPN client into Win21 or Win22 I can access the LAN1
without problems
LinuxGW1 & 2 are Debian 9 + openvpn. I use 10.8.0.0/24 for the tunnel
From LAN2 I can ping 10.8.0.2, but not 10.8.0.1
From LAN1 I can ping both 10.8.0.1 and 10.8.0.2
I am missing something but can't understand what.
Any hints appreciated.
Below configs.
Thanks, P.
In LinuxGW1 shorewall config is:
- interfaces:
net vmbr1 detect dhcp,tcpflags,routefilter,routeback
loc vmbr0 detect dhcp,tcpflags,nosmurfs,routefilter,routeback
vpn tun0 detect dhcp,tcpflags,nosmurfs,routefilter,routeback
- policy:
loc net ACCEPT
loc $FW ACCEPT
loc vpn ACCEPT
fw all ACCEPT
vpn all ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
- snat:
MASQUERADE 10.0.0.0/24 vmbr1
MASQUERADE 10.8.0.0/24 tun0
- zones:
fw firewall
net ipv4
loc ipv4
vpn ipv4
In LinuxGW2 shorewall config is:
- interfaces:
net ens18 detect dhcp,tcpflags,routefilter,routeback
loc ens19 detect dhcp,tcpflags,nosmurfs,routefilter,routeback
vpn tun0 detect dhcp,tcpflags,nosmurfs,routefilter,routeback
- policy:
loc net ACCEPT
net loc ACCEPT
loc $FW ACCEPT
loc vpn ACCEPT
fw all ACCEPT
vpn all ACCEPT
net all DROP info
#net all ACCEPT
# THE FOLLOWING POLICY MUST BE LAST
###
all all REJECT info
- snat:
MASQUERADE 192.168.107.0/24 ens18
MASQUERADE 10.8.0.0/24 tun0
- zones:
fw firewall
net ipv4
loc ipv4
vpn ipv4
In LinuxGW1:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 192.168.189.254 0.0.0.0 UG 0 0 0 vmbr1
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vmbr0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.107.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.189.0 0.0.0.0 255.255.255.0 U 0 0 0 vmbr1
In LinuxGW2:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 192.168.117.1 0.0.0.0 UG 0 0 0 ens18
10.0.0.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.107.0 0.0.0.0 255.255.255.0 U 0 0 0 ens19
192.168.117.0 0.0.0.0 255.255.255.0 U 0 0 0 ens18
Config openvpn LinuxGW1:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 5
push "route 10.0.0.0 255.255.255.0"
log-append openvpn.log
client-config-dir client
route 192.168.107.0 255.255.255.0
client-to-client
and in ./client/wpclient01.conf
iroute 192.168.107.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0 vpn_gateway"
Config openvpn LinuxGW2 (wpclient01):
client
dev tun
proto udp
remote a.b.c.d 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/wpclient01.crt
key /etc/openvpn/wpclient01.key
comp-lzo
verb 5
push "route 10.0.0.0 255.255.255.0"
log-append openvpn.log
status openvpn-status.log
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users