Comments interspersed below. On 02/07/2018 05:13 AM, Bernard Drozd wrote: > Hi, > I’am trying to set up OpenVPN on newest Ubuntu server 17.10 + Shorewall > in the RoadWarrior mode: > http://shorewall.net/OPENVPN.html#RoadWarrior > To set up OpenVPN I followed guidance below (ofcourse without firewall > part): > https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 > > In the testing phase I use android phone and ‘OpenVPN Connect’ app. > I’ve imported keys and configurations (*.ovpn file) to my mobile device. > I can connect to OpenVPN server and see on my mobile phone status: > connected. > However from the phone I cannot connect to my LAN and WLAN subnetworks. > I suspect that my shorewall or server Open VPN configuration need > adjustment. > Plese see my shorewall and OpenVPn server configurations and advice what > could I change to connect to my LAN network. > >>ela@akacja:~$ ip -o -4 addr > 1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever > preferred_lft forever > 2: enp1s0 inet 192.168.15.145/24 brd 192.168.15.255 scope global > enp1s0\ valid_lft forever preferred_lft forever > 4: enp3s0f1 inet 10.10.10.1/24 brd 10.10.10.255 scope global > enp3s0f1\ valid_lft forever preferred_lft forever > 5: wlp4s0 inet 10.10.11.1/24 brd 10.10.11.255 scope global > wlp4s0\ valid_lft forever preferred_lft forever > 6: tun0 inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0\ > valid_lft forever preferred_lft forever > >>ela@akacja:~$ ip -o -4 route > default via 192.168.15.1 dev enp1s0 proto static > 10.8.0.0/24 via 10.8.0.2 dev tun0 > 10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 > 10.10.10.0/24 dev enp3s0f1 proto kernel scope link src 10.10.10.1 > 10.10.11.0/24 dev wlp4s0 proto kernel scope link src 10.10.11.1 > 192.168.15.0/24 dev enp1s0 proto kernel scope link src 192.168.15.145 > >>/etc/openvpn/server.conf > port 1194 > proto udp > dev tun > ca ca.crt > cert server.crt > key server.key 8 > dh dh2048.pem > server 10.8.0.0 255.255.255.0 > ifconfig-pool-persist ipp.txt > push "route 10.10.10.0 255.255.255.0"
If you want to access the wireless LAN from VPN clients, then you also need to push a route to 10.10.11.0 255.255.255.0. > keepalive 10 120 > tls-auth ta.key 0 # This file is secret > key-direction 0 > cipher AES-128-CBC > auth SHA256 > user nobody > group nogroup > persist-key > persist-tun > status openvpn-status.log > verb 3 > >>/etc/shorewall/zones: > #ZONE TYPE OPTIONS IN OUT > fw firewall > net ipv4 > loc ipv4 > road ipv4 > >>/etc/shorewall/interfaces: > ?FORMAT 1 > ############################################################################### > #ZONE INTERFACE BROADCAST OPTIONS > net enp1s0 detect tcpflags,logmartians,nosmurfs > loc enp3s0f1 detect dhcp > loc wlp4s0 detect dhcp,maclist > road tun0 detect > >>/etc/shorewall/snat: > #ACTION SOURCE DEST PROTO PORT > IPSEC MARK USER SWITCH ORIGDEST PROBABILITY > SNAT(192.168.15.145) 10.10.10.0/24,\ > 10.10.11.0/24 enp1s0 > >>/etc/shorewall/policy: > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc net ACCEPT > loc $FW ACCEPT > $FW net ACCEPT > $FW loc ACCEPT > road loc ACCEPT You might also want: loc road ACCEPT > net all DROP info > all all REJECT info > >>/etc/shorewall/tunnels: > #TYPE ZONE GATEWAY GATEWAY_ZONE > openvpn:1194 net 0.0.0.0/0 > >>/etc/shorewall/rules: > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ MARK CONNLIMIT TIME > HEADERS SWITCH HELPER > # PORT PORT(S) DEST > LIMIT GROUP > > ?SECTION ALL > ?SECTION ESTABLISHED > ?SECTION RELATED > ?SECTION INVALID > ?SECTION UNTRACKED > ?SECTION NEW > > # Don't allow connection pickup from the net > # > Invalid(DROP) net all tcp > # > # Accept DNS connections from the firewall to the network > # > #DNS(ACCEPT) $FW net > # > # Accept SSH connections from the local network for administration > # > SSH(ACCEPT) loc $FW > # > # Allow Ping from the local network > # > Ping(ACCEPT) loc $FW > > # > # Drop Ping from the "bad" net zone.. and prevent your log from being > flooded.. > # > > Ping(DROP) net $FW > > ACCEPT $FW loc icmp > ACCEPT $FW net icmp > # > # > ACCEPT net $FW tcp 6535 > ACCEPT net $FW udp 6534 > ACCEPT net $FW tcp 1007 > ACCEPT net $FW tcp 2225 > ACCEPT net $FW udp 1194 That rule is redundant - the tunnels file entry does that. It's been years since I used VPN, but I notice in my article at http://www.shorewall.org/OpenVPN.html#RoadWarrior that my interfaces entry for the vpn zone is: road tun+ rather than road tun0 I seem to recall that, when using tun interfaces, a separate interface is created for each client. Hope that helps, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
