Hi,
I’am trying to set up OpenVPN on newest Ubuntu server 17.10 + Shorewall in the
RoadWarrior mode:
http://shorewall.net/OPENVPN.html#RoadWarrior
To set up OpenVPN I followed guidance below (ofcourse without firewall part):
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
In the testing phase I use android phone and ‘OpenVPN Connect’ app.
I’ve imported keys and configurations (*.ovpn file) to my mobile device.
I can connect to OpenVPN server and see on my mobile phone status: connected.
However from the phone I cannot connect to my LAN and WLAN subnetworks. I
suspect that my shorewall or server Open VPN configuration need adjustment.
Plese see my shorewall and OpenVPn server configurations and advice what could
I change to connect to my LAN network.
>ela@akacja:~$ ip -o -4 addr
1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft
forever
2: enp1s0 inet 192.168.15.145/24 brd 192.168.15.255 scope global enp1s0\
valid_lft forever preferred_lft forever
4: enp3s0f1 inet 10.10.10.1/24 brd 10.10.10.255 scope global enp3s0f1\
valid_lft forever preferred_lft forever
5: wlp4s0 inet 10.10.11.1/24 brd 10.10.11.255 scope global wlp4s0\
valid_lft forever preferred_lft forever
6: tun0 inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0\ valid_lft
forever preferred_lft forever
>ela@akacja:~$ ip -o -4 route
default via 192.168.15.1 dev enp1s0 proto static
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
10.10.10.0/24 dev enp3s0f1 proto kernel scope link src 10.10.10.1
10.10.11.0/24 dev wlp4s0 proto kernel scope link src 10.10.11.1
192.168.15.0/24 dev enp1s0 proto kernel scope link src 192.168.15.145
>/etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key 8
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.10.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
>/etc/shorewall/zones:
#ZONE TYPE OPTIONS IN OUT
fw firewall
net ipv4
loc ipv4
road ipv4
>/etc/shorewall/interfaces:
?FORMAT 1
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net enp1s0 detect tcpflags,logmartians,nosmurfs
loc enp3s0f1 detect dhcp
loc wlp4s0 detect dhcp,maclist
road tun0 detect
>/etc/shorewall/snat:
#ACTION SOURCE DEST PROTO PORT IPSEC
MARK USER SWITCH ORIGDEST PROBABILITY
SNAT(192.168.15.145) 10.10.10.0/24,\
10.10.11.0/24 enp1s0
>/etc/shorewall/policy:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
loc $FW ACCEPT
$FW net ACCEPT
$FW loc ACCEPT
road loc ACCEPT
net all DROP info
all all REJECT info
>/etc/shorewall/tunnels:
#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:1194 net 0.0.0.0/0
>/etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
SWITCH HELPER
# PORT PORT(S) DEST LIMIT
GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# Don't allow connection pickup from the net
#
Invalid(DROP) net all tcp
#
# Accept DNS connections from the firewall to the network
#
#DNS(ACCEPT) $FW net
#
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) loc $FW
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#
ACCEPT net $FW tcp 6535
ACCEPT net $FW udp 6534
ACCEPT net $FW tcp 1007
ACCEPT net $FW tcp 2225
ACCEPT net $FW udp 1194
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
