Shorewall block OpenVPN traffic out

Everything seems in order.
Can you show the output of traceroute/tracert to 8.8.8.8?

Did it. Results as expected. Sorry, it’s in german, but you will get the gist.

Would it be possible to let me connect to your server and test the vpn?

Definitely. I did PM you.

@JOduMonT What is your status on this?

The problem is that the system has only a green interface. OpenVPN needs a green+red two interfaces system to masquerade traffic going to the internet.

We could probably add masq for the openvpn network, but I’m not sure it could be automated.

1 Like

@Simplimus Do you agree? Could you solve that topic?

I added the necessary iptables config line. Checking again if it exists. Then restarting shorewall

[root@nessie ~]# tail -1 /etc/shorewall/started
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
[root@nessie ~]# shorewall restart

Then reconnecting to the VPN but no success. Still no route out of the server. :frowning:

I checked to see if the routes are added in /etc/openvpn/host-to-net.conf.

push "dhcp-option DOMAIN example.org"
push "dhcp-option DNS 10.0.0.1"
push "dhcp-option WINS 10.0.0.1"
push "dhcp-option NBDD 10.0.0.1"
push "dhcp-option NBT 2"
push "route 192.168.1.0 255.255.255.0"

It is there. Dead end, too.
(of course it does not say example.org :slight_smile: )

How do I tell which config is active?

I aggree that it must have something to do with the single NIC. However, that is the classic case with running an openvpn on a RasPi. It is possible.

I installed the available nethserver-openvpn update today. Still no luck. :frowning:

It isn’t an issue in openvpn.
It is a setup that has to be developed from scratch, involving at least shorewall.
I gave you instructions, I can try to help you, but I don’t have a system to make tests.
Can I use your NethServer?

Sure, go ahead. Just don’t break it, please.

Okay, so after correcting the name of the NIC in the shorewall config /etc/shorewall/started I have working network access. (see post 28 in this thread)

A ping of 8.8.8.8 comes back successful. \o/
However, a ping of www.google.com does not. DNS is not working yet.