Comments interspersed below.
On 02/07/2018 05:13 AM, Bernard Drozd wrote:
Hi,
I’am trying to set up OpenVPN on newest Ubuntu server 17.10 + Shorewall
in the RoadWarrior mode:
http://shorewall.net/OPENVPN.html#RoadWarrior
To set up OpenVPN I followed guidance below (ofcourse without firewall
part):
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
In the testing phase I use android phone and ‘OpenVPN Connect’ app.
I’ve imported keys and configurations (*.ovpn file) to my mobile device.
I can connect to OpenVPN server and see on my mobile phone status:
connected.
However from the phone I cannot connect to my LAN and WLAN subnetworks.
I suspect that my shorewall or server Open VPN configuration need
adjustment.
Plese see my shorewall and OpenVPn server configurations and advice what
could I change to connect to my LAN network.
ela@akacja:~$ ip -o -4 addr
1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever
preferred_lft forever
2: enp1s0 inet 192.168.15.145/24 brd 192.168.15.255 scope global
enp1s0\ valid_lft forever preferred_lft forever
4: enp3s0f1 inet 10.10.10.1/24 brd 10.10.10.255 scope global
enp3s0f1\ valid_lft forever preferred_lft forever
5: wlp4s0 inet 10.10.11.1/24 brd 10.10.11.255 scope global
wlp4s0\ valid_lft forever preferred_lft forever
6: tun0 inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0\
valid_lft forever preferred_lft forever
ela@akacja:~$ ip -o -4 route
default via 192.168.15.1 dev enp1s0 proto static
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
10.10.10.0/24 dev enp3s0f1 proto kernel scope link src 10.10.10.1
10.10.11.0/24 dev wlp4s0 proto kernel scope link src 10.10.11.1
192.168.15.0/24 dev enp1s0 proto kernel scope link src 192.168.15.145
/etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key 8
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.10.0 255.255.255.0"
If you want to access the wireless LAN from VPN clients, then you also
need to push a route to 10.10.11.0 255.255.255.0.
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
/etc/shorewall/zones:
#ZONE TYPE OPTIONS IN OUT
fw firewall
net ipv4
loc ipv4
road ipv4
/etc/shorewall/interfaces:
?FORMAT 1
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net enp1s0 detect tcpflags,logmartians,nosmurfs
loc enp3s0f1 detect dhcp
loc wlp4s0 detect dhcp,maclist
road tun0 detect
/etc/shorewall/snat:
#ACTION SOURCE DEST PROTO PORT
IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
SNAT(192.168.15.145) 10.10.10.0/24,\
10.10.11.0/24 enp1s0
/etc/shorewall/policy:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
loc $FW ACCEPT
$FW net ACCEPT
$FW loc ACCEPT
road loc ACCEPT
You might also want:
loc road ACCEPT
net all DROP info
all all REJECT info
/etc/shorewall/tunnels:
#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpn:1194 net 0.0.0.0/0
/etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/ MARK CONNLIMIT TIME
HEADERS SWITCH HELPER
# PORT PORT(S) DEST
LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# Don't allow connection pickup from the net
#
Invalid(DROP) net all tcp
#
# Accept DNS connections from the firewall to the network
#
#DNS(ACCEPT) $FW net
#
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) loc $FW
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being
flooded..
#
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#
ACCEPT net $FW tcp 6535
ACCEPT net $FW udp 6534
ACCEPT net $FW tcp 1007
ACCEPT net $FW tcp 2225
ACCEPT net $FW udp 1194
That rule is redundant - the tunnels file entry does that.
It's been years since I used VPN, but I notice in my article at
http://www.shorewall.org/OpenVPN.html#RoadWarrior that my interfaces
entry for the vpn zone is:
road tun+
rather than
road tun0
I seem to recall that, when using tun interfaces, a separate interface
is created for each client.
Hope that helps,
-Tom
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
