Re: [Shorewall-users] OpenVPN Shorewall configuration?

Wed, 07 Feb 2018 13:45:35 -0800 

Thank you Tom and Bill.
>How did you try to "connect"?  Ping? SSH?
I try to load 'local'-LAN webside (on 10.10.10.1)
When I switch my phone to use WIFI I can load this webside but when I switch data transfer to LTE  and switch on 'Mobile OpenVPN connect' app I cannot reach this website despite openvpn conection is establisched. I try Tom's configuration suggestion but nothing has changed, still cannot reach my subnets (LAN, Wlan) using Openvpn roadwarrior. 
Regards,
B

W dniu 2018-02-07 o 21:59, Bill Shirley pisze:

"However from the phone I cannot connect to my LAN and WLAN subnetworks."
What address did the Android device get?  Can you ping it from the Shorewall 
machine?  Can you ping the Android device from a device on the LAN? WLAN?

Only one tun device is needed for all road clients.

In my tunnels, I have:
?COMMENT openvpn
openvpnserver           inet    0.0.0.0/0

Bill


On 2/7/2018 1:27 PM, Tom Eastep wrote:

Comments interspersed below.

On 02/07/2018 05:13 AM, Bernard Drozd wrote:

Hi,
I’am trying to set up OpenVPN on newest Ubuntu server 17.10 + Shorewall
in the RoadWarrior mode:
http://shorewall.net/OPENVPN.html#RoadWarrior
To set up OpenVPN I followed  guidance below (ofcourse without firewall
part):
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 
  In the testing phase I use android phone  and ‘OpenVPN Connect’ app.
I’ve imported keys and configurations (*.ovpn file) to my mobile device. 
I can connect  to OpenVPN server and see on  my mobile phone status:
connected.
However from the phone I cannot connect to my LAN and WLAN subnetworks.
I suspect that my shorewall or server Open VPN configuration need
adjustment.
Plese see my shorewall and OpenVPn server configurations and advice what 
could I change to connect to my LAN network.

ela@akacja:~$ ip -o -4 addr

1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft forever
preferred_lft forever
2: enp1s0    inet 192.168.15.145/24 brd 192.168.15.255 scope global
enp1s0\       valid_lft forever preferred_lft forever
4: enp3s0f1    inet 10.10.10.1/24 brd 10.10.10.255 scope global
enp3s0f1\       valid_lft forever preferred_lft forever
5: wlp4s0    inet 10.10.11.1/24 brd 10.10.11.255 scope global
wlp4s0\       valid_lft forever preferred_lft forever
6: tun0    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0\
valid_lft forever preferred_lft forever

ela@akacja:~$ ip -o -4 route

default via 192.168.15.1 dev enp1s0 proto static
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
10.10.10.0/24 dev enp3s0f1 proto kernel scope link src 10.10.10.1
10.10.11.0/24 dev wlp4s0 proto kernel scope link src 10.10.11.1
192.168.15.0/24 dev enp1s0 proto kernel scope link src 192.168.15.145

/etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key 8
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.10.0 255.255.255.0"

If you want to access the wireless LAN from VPN clients, then you also
need to push a route to 10.10.11.0 255.255.255.0.


keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

/etc/shorewall/zones:

#ZONE    TYPE    OPTIONS            IN            OUT
fw    firewall
net    ipv4
loc    ipv4
road    ipv4

/etc/shorewall/interfaces:

?FORMAT 1
############################################################################### 
#ZONE    INTERFACE    BROADCAST    OPTIONS
net    enp1s0        detect    tcpflags,logmartians,nosmurfs
loc    enp3s0f1    detect    dhcp
loc    wlp4s0        detect    dhcp,maclist
road    tun0        detect

/etc/shorewall/snat:

#ACTION            SOURCE            DEST            PROTO PORT
IPSEC    MARK    USER    SWITCH    ORIGDEST    PROBABILITY
SNAT(192.168.15.145)    10.10.10.0/24,\
             10.10.11.0/24    enp1s0

/etc/shorewall/policy:

#SOURCE        DEST        POLICY        LOG LEVEL LIMIT:BURST
loc        net        ACCEPT
loc        $FW        ACCEPT
$FW        net        ACCEPT
$FW        loc        ACCEPT
road        loc        ACCEPT

You might also want:

loc    road    ACCEPT


net        all        DROP        info
all        all        REJECT        info

/etc/shorewall/tunnels:

#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
openvpn:1194  net            0.0.0.0/0




/etc/shorewall/rules:

#ACTION        SOURCE        DEST        PROTO    DEST SOURCE
ORIGINAL    RATE        USER/    MARK    CONNLIMIT    TIME
HEADERS        SWITCH        HELPER
#                            PORT    PORT(S)        DEST
LIMIT        GROUP
  ?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
  #       Don't allow connection pickup from the net
#
Invalid(DROP)    net        all        tcp
#
#    Accept DNS connections from the firewall to the network
#
#DNS(ACCEPT)    $FW        net
#
#    Accept SSH connections from the local network for administration
#
SSH(ACCEPT)    loc        $FW
#
#    Allow Ping from the local network
#
Ping(ACCEPT)    loc        $FW
  #
# Drop Ping from the "bad" net zone.. and prevent your log from being
flooded..
#
  Ping(DROP)    net        $FW
  ACCEPT        $FW        loc        icmp
ACCEPT        $FW        net        icmp
#
#
ACCEPT        net        $FW        tcp        6535
ACCEPT        net        $FW        udp        6534
ACCEPT        net        $FW        tcp        1007
ACCEPT        net        $FW        tcp        2225
ACCEPT        net        $FW        udp        1194

That rule is redundant - the tunnels file entry does that.

It's been years since I used VPN, but I notice in my article at
http://www.shorewall.org/OpenVPN.html#RoadWarrior that my interfaces
entry for the vpn zone is:

road       tun+

rather than

road       tun0

I seem to recall that, when using tun interfaces, a separate interface
is created for each client.

Hope that helps,

-Tom
------------------------------------------------------------------------------ 
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------ 
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to