3

I have one root server and two clients. The root server has a static ip address and runs Debian Linux. My clients are Mac OS X and Debian Linux with dynamic ip addresses.

From my clients I can open a vpn connection but the traffic is blocked by Shorewall. The Shorewall log told me that the traffic comes from net zone to fw zone (fw is the server zone, I don't have a local zone because it is only one machine) but it should be from vpn zone to fw zone or not?

This is one line from the log:

net-fw:DROP:IN=tun0 OUT= SRC=10.8.0.3 DST=10.8.0.1  PROTO=TCP SPT=37744 DPT=3000

And this are my config files:

openvpn server.conf:

port 1194
proto udp
dev tun
ca ca.crt
cert me.crt
key me.key
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

openvpn client.con:

client
dev tun
proto udp
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert debian.crt
key debian.key
remote-cert-tls server
comp-lzo
verb 3

shorewall interfaces:

net all     physical=+
vpn tun+

shorewall zones:

fw  firewall
net ip
vpn ipv4

shorewall policy:

$FW    net   ACCEPT
vpn    $FW   ACCEPT   info
net    all   DROP     info
all    all   REJECT   info

shorewall rules:

Invalid(DROP)   net   $FW   tcp
ACCEPT:info     net   $FW   udp 1194
ACCEPT:info     vpn   $FW
ACCEPT:info     $FW   vpn

shorewall tunnels:

openvpnserver:1194  net 0.0.0.0/0
Ralph Bergmann
  • 133
  • 3

1 Answers1

3

I've not encountered the physical option for an interface before, but based on reading the shorewall-interfaces manpage, I'm not sure this is doing what you might think it does:

net all     physical=+

Try changing it to

net eth+

Then see if the traffic coming in over the VPN is correctly classified as coming from VPN zone.

womble
  • 95,029
  • 29
  • 173
  • 228