[Shorewall-users] Shorewall and OpenVPN woes

Files files at poetryunlimited.com
Thu Sep 23 07:38:49 PDT 2004


Ok. I'm knocking down one problem at a time.

I've managed to figure out how to bridge my tap0 and my eth1 with br0.

This is good stuff.

But if I have shorewall running, I can't ping the local network at all.

If I have shorewall not running, I can ping the local network.

Here is my setup.

Firewall/NAT box:
eth0 - DHCP from cable provider
eth1 - 192.168.2.0/255.255.255.0 local network
tap0 - OpenVPN endpoint
tap1 - OpenVPN endpoint

Laptop
Work client - coming from the internet via the cable box
Home wireless client - coming through the wireless router internally.

Zones:
fw
loc
net

I also have a wireless lan 192.168.1.0/255.255.255.0 that has an NAT at
192.168.2.198 - secured w/ WPA-PSK.

I want to be able to connect to the tap0 from outside the firewall.
I want to be able to conenct to the tap1 from the wireless lan.
I would prefer to use security regardless, so that if I decide to use VPN from
the wireless router, I can shut off WPA-PSK and maybe only open the VPN port
for forwarding.

I want the laptop, when connected via OpenVPN to act like it sits on
192.168.2.0/255.255.255.0.

So obviously, to me, this means bridging tap0, tap1 and eth1. That's as far as
I understand it so far. As far as the firewalling goes.

Firstly, I need to understand what interfaces/rules/policies I have to set in
shorewall to maket his happen.

I can try to do this by hand, but it defeats the purpose of having shorewall
at all, and I like the logical separation of concerns. I just don't always see
how to do the complicated stuff, especially, when I'm not quite understanding
the flow that has to occur.

I attempted to follow the details for the bridged ethernet networks that were
masqueraded, but couldn't understand how it would fit my architecture seeing
as I had a single laptop, not a second network at the other end. I was getting
confused.

So I need to understand how to set up the necessary configuration for the
setup I'm trying to get to.

With shoreall running now, after I bridge, I can't ping the local network even
from the firewall.

With shorewall off, I can ping the local network.

Any help would be greatly appreciated.

Or even a pointer to someone else's message thread that solves the same problem.

Thanks.

-- 
Shamim Islam
BA BS




More information about the Shorewall-users mailing list