Toon posts:

shorewall / openvpn combinatie probleem

Pagina: 1
Acties:
  • 326 views sinds 30-01-2008
  • Reageer

maandag 11 juli 2005 21:36

Acties:
  • Haranaka
  • Registratie: September 2000
  • Laatst online: 08-09-2025

Haranaka

Topicstarter
Ik ben hier bezig met het opzetten van een VPN servertje (openvpn 2.0) op mijn debian router zodat ik via de VPN verbinding een verbinding opzetten tussen mijn server en mijn laptop (winXP) als ik 'on the road' ben.
Ik heb de volgende howto gelezen en gevolgt: http://www.shorewall.net/OPENVPN.html

Mijn laptop kan inmiddels verbinding maken met de VPN server en krijgt een mooi ip toegewezen (10.0.16.6). Echter kan ik vanaf mijn laptop de server niet pingen en visa versa.

Mijn server zegt:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:40:F4:6B:21:CF
          inet addr:xxx  Bcast:xxx  Mask:255.255.255.0
          inet6 addr: xxx Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8158708 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5684185 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:426469951 (406.7 MiB)  TX bytes:710574606 (677.6 MiB)
          Interrupt:169 Base address:0xec00

eth1      Link encap:Ethernet  HWaddr 00:0C:6E:26:F3:1B
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:6eff:fe26:f31b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11979181 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14446842 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2289081185 (2.1 GiB)  TX bytes:2236465872 (2.0 GiB)
          Interrupt:177 Base address:0xdc00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:106572 errors:0 dropped:0 overruns:0 frame:0
          TX packets:106572 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:34849141 (33.2 MiB)  TX bytes:34849141 (33.2 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.0.16.1  P-t-P:10.0.16.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:25 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1500 (1.4 KiB)  TX bytes:704 (704.0 b)

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.16.2       *               255.255.255.255 UH    0      0        0 tun0
10.0.16.0       10.0.16.2       255.255.255.0   UG    0      0        0 tun0
localnet        *               255.255.255.0   U     0      0        0 eth1
83.160.231.0    *               255.255.255.0   U     0      0        0 eth0
default         babyxl-colo-gn- 0.0.0.0         UG    0      0        0 eth0

# ping 10.0.16.6
PING 10.0.16.6 (10.0.16.6) 56(84) bytes of data.
From 10.0.16.1 icmp_seq=1 Destination Host Unreachable
From 10.0.16.1 icmp_seq=1 Destination Host Unreachable
From 10.0.16.1 icmp_seq=1 Destination Host Unreachable
From 10.0.16.1 icmp_seq=1 Destination Host Unreachable
From 10.0.16.1 icmp_seq=1 Destination Host Unreachable
From 10.0.16.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Operation not permitted
From 10.0.16.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Operation not permitted
From 10.0.16.1 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Operation not permitted
From 10.0.16.1 icmp_seq=4 Destination Host Unreachable
ping: sendmsg: Operation not permitted

--- 10.0.16.6 ping statistics ---
4 packets transmitted, 0 received, +9 errors, 100% packet loss, time 3060ms

# tail  /var/log/messages
Jul 11 20:19:04 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=4 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=1
Jul 11 20:19:04 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=5 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=1
Jul 11 20:19:04 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=6 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=1
Jul 11 20:19:05 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=7 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=2
Jul 11 20:19:05 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=8 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=2
Jul 11 20:19:06 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=9 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=3
Jul 11 20:19:06 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=10 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=3
Jul 11 20:19:07 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=11 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=4
Jul 11 20:19:07 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=12 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=4
Jul 11 20:20:57 enterprise kernel: Shorewall:all2all:REJECT:IN=tun0 OUT= MAC= SRC=10.0.16.6 DST=10.0.16.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=30600 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=9472
Jul 11 20:20:58 enterprise kernel: Shorewall:all2all:REJECT:IN=tun0 OUT= MAC= SRC=10.0.16.6 DST=10.0.16.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=30602 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=9728
Jul 11 20:20:59 enterprise kernel: Shorewall:all2all:REJECT:IN=tun0 OUT= MAC= SRC=10.0.16.6 DST=10.0.16.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=30604 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=9984
Jul 11 20:21:00 enterprise kernel: Shorewall:all2all:REJECT:IN=tun0 OUT= MAC= SRC=10.0.16.6 DST=10.0.16.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=30606 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=10240


Mijn laptop zegt:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

ipconfig /all
Ethernet adapter VPN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : TAP-Win32 Adapter V8
        Physical Address. . . . . . . . . : 00-FF-0D-3A-A1-CE
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.0.16.6
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . : 10.0.16.5
        Lease Obtained. . . . . . . . . . : maandag 11 juli 2005 19:54:55
        Lease Expires . . . . . . . . . . : dinsdag 11 juli 2006 19:54:55

C:\Documents and Settings\diederik>route PRINT

========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.11       30
        10.0.16.0    255.255.255.0        10.0.16.5       10.0.16.6       1
        10.0.16.4  255.255.255.252        10.0.16.6       10.0.16.6       30
        10.0.16.6  255.255.255.255        127.0.0.1       127.0.0.1       30
   10.255.255.255  255.255.255.255        10.0.16.6       10.0.16.6       30
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0     192.168.0.11    192.168.0.11       30
     192.168.0.11  255.255.255.255        127.0.0.1       127.0.0.1       30
    192.168.0.255  255.255.255.255     192.168.0.11    192.168.0.11       30
        224.0.0.0        240.0.0.0        10.0.16.6       10.0.16.6       30
        224.0.0.0        240.0.0.0     192.168.0.11    192.168.0.11       30
  255.255.255.255  255.255.255.255        10.0.16.6               2       1
  255.255.255.255  255.255.255.255        10.0.16.6       10.0.16.6       1
  255.255.255.255  255.255.255.255     192.168.0.11    192.168.0.11       1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
  None


Om de boel compleet te maken hier nog een aantal config files:
/etc/openvpn/server.conf
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

dev tun
server 10.0.16.0 255.255.255.0

dh dh1024.pem
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

port 1194
ifconfig-pool-persist ipp.txt
client-to-client
comp-lzo
max-clients 5
user  nobody
group nogroup
persist-key
persist-tun

ping            15
ping-restart    45
ping-timer-rem

status openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3


/etc/shorewall/interfaces
code:
1
2
3
4
5
6

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect  dhcp
road    tun0
loc     eth1            192.168.0.255   tcpflags

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


/etc/shorewall/masq
code:
1
2
3
4
5

##############################################################################
#INTERFACE              SUBNET          ADDRESS
eth0                    eth1

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE



/etc/shorewall/policy
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
loc             fw              ACCEPT
fw              net             ACCEPT
fw              loc             ACCEPT

road            loc             ACCEPT
loc             road            ACCEPT

net             all             DROP            info

# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


/etc/shorewall/tunnels
code:
1
2
3
4

#TYPE         ZONE           GATEWAY        GATEWAY ZONE
openvpn:1194  net            0.0.0.0/0

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


/etc/shorewall/zones
code:
1
2
3
4
5
6

#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local Networks
road    Roadwarrior     Remote clients

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


Zo, ik dacht dat ik wel zo'n beetje alle relevante informatie bijelkaar heb gestopt. Nu maar hopen dat iemand hier kan achterhalen wat ik precies fout doe. Een routering probleem of toch iets in de shorewall config? Ik heb er nu al aardig wat uurtjes ingestopt en ben echt ten einde raad.

...

dinsdag 12 juli 2005 15:01

Acties:
  • igmar
  • Registratie: April 2000
  • Laatst online: 31-01 23:50

igmar

ISO20022

Haranaka schreef op maandag 11 juli 2005 @ 21:36:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14

# tail  /var/log/messages
Jul 11 20:19:04 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=4 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=1
Jul 11 20:19:04 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=5 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=1
Jul 11 20:19:04 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=6 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=1
Jul 11 20:19:05 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=7 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=2
Jul 11 20:19:05 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=8 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=2
Jul 11 20:19:06 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=9 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=3
Jul 11 20:19:06 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=10 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=3
Jul 11 20:19:07 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=11 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=4
Jul 11 20:19:07 enterprise kernel: Shorewall:all2all:REJECT:IN= OUT=tun0 SRC=10.0.16.1 DST=10.0.16.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=12 DF PROTO=ICMP TYPE=8 CODE=0 ID=46901 SEQ=4
Jul 11 20:20:57 enterprise kernel: Shorewall:all2all:REJECT:IN=tun0 OUT= MAC= SRC=10.0.16.6 DST=10.0.16.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=30600 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=9472
Jul 11 20:20:58 enterprise kernel: Shorewall:all2all:REJECT:IN=tun0 OUT= MAC= SRC=10.0.16.6 DST=10.0.16.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=30602 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=9728
Jul 11 20:20:59 enterprise kernel: Shorewall:all2all:REJECT:IN=tun0 OUT= MAC= SRC=10.0.16.6 DST=10.0.16.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=30604 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=9984
Jul 11 20:21:00 enterprise kernel: Shorewall:all2all:REJECT:IN=tun0 OUT= MAC= SRC=10.0.16.6 DST=10.0.16.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=30606 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=10240
En wat is er onduidelijk aan het bovenstaande ? De betreffende meldingen geven duidelijk aan dat iptables je pakketten dropped. MAW : Fix je firewall config.

dinsdag 12 juli 2005 15:55

Acties:
  • Haranaka
  • Registratie: September 2000
  • Laatst online: 08-09-2025

Haranaka

Topicstarter
/etc/shorewall/policy
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
loc             fw              ACCEPT
fw              net             ACCEPT
fw              loc             ACCEPT

road            loc             ACCEPT
loc             road            ACCEPT
road            fw              ACCEPT #*
fw              net             ACCEPT #*

net             all             DROP            info

# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Dat moest hem natuurlijk zijn, het pingen ging ook van de server naar de vpn client en dat is dus verkeer tussen de zones fw en road en niet tussen road en loc |:(
Zo zie je maar, soms staar je je zo blind op zulke stomme dingentjes....

...

dinsdag 12 juli 2005 22:27

Acties:
  • McMiGHtY
  • Registratie: December 1999
  • Laatst online: 18-02 10:48

McMiGHtY

- burp -

Je hebt bij het ip adres wat je krijgt op je VPN Adapter geen default gateway

NEW - Het Grote - 2026 Tweakers Social Ride- Topic!

Reageer

Apple iPhone 17 LG OLED evo G5 Google Pixel 10 Samsung Galaxy S25 Star Wars: Outlaws Nintendo Switch 2 Apple AirPods Pro (2e generatie) Sony PlayStation 5 Pro

Tweakers is onderdeel van DPG Media B.V.
Alle rechten voorbehouden - Auteursrecht © 1998 - 2026 Hosting door TrueFullstaq