General Net2Net OpenVPN Firewall question

Hello,

I wanted to see if I could get a better understanding regarding how the shorewall/firewall component of NethServer worked hand in hand with OpenVPN net2net VPN.

I have 2 NethServer new installs at separate sites each on their own 10.0.1.0/24 and 10.0.2.0/24 networks respectively with NethA @ 10.0.1.10 and NethB @ 10.0.2.10. These VMs have 1 nic and static routes pointing back at each machine and use the standard deployment with Neth A being master and NethB being the slave sharing a 10.22.0.0/24 VPN subnet topology. I can successfully get each side to ping/access hosts on the other side without any problems.

I am at a point now where I’d like to start locking down the network/understanding Shorewall. I’ve been tinkering around with creating firewall rules on my NethA server to block traffic to a specific client at the NethB site (see example).

After applying the firewall rule on NethA I can still access the external resource and nothing is logged in the firewall (more than likely because the rule wasn’t triggered). The only way I can get my firewall rules to trigger are if I include either an “Any” or “VPN” zone rather than defined CIDR network that may be included within that zone. I’m starting to glimps how important it is to understanding the zones and how NICs are associated with them. If I wanted to continue using NethServer as a non-gateway single nic appliance, would I be better off changing the Interface from Green to Blue or Orange? Am I using NethServer in a way it was never intended for?

A VPN zone is needed for VPN rules and “Any” also includes that zone. I think this is quite usual practice when configuring firewalls. Maybe we should explain it in the docs?

No, because you still need to add the zone to the rules.

No, it’s fully ok to use Nethserver with only one interface.

Here I am getting stuck with my understanding and my expectations form past firewall usage and this might be a bit off topic (road warrior not net2net). I am right now standing up a road warrior fully updated OpenVPN appliance. Network 192.168.0.0/24; gateway is at 192.168.0.1 with NethServer at 192.168.0.66 and I can get my VPN clients joined onto the network just fine under bridged mode from 192.168.0.201-210.

I cannot create a firewall rule with a defined object within the bridged IP pool to restrict traffic. For example my first VPN has a reserved IP of 192.168.0.201. Within the firewall the Roadworrior Host Object is already created with a rule to drop everything to anything. This firewall rule isn’t being triggered and more than likely because they are both in the same Zone or some other rule is trumping the one I defined.

Are you suggesting that I would have to create a rule more like VPN (zone) to drop everything to anything as the first catch all and then after define a VPN (zone) allow to defined hosts & services?

edit - I am coming from a Zentyal OpenVPN subnet tap interface setup that utilized Netfitler to accomplish the same setup. The VPN server first has it’s advertised network and from there I can start restricting my VPN clients by reserved IP space in the OpenVPN subnet and firewall rules. I have to be misunderstanding some fundamental part of Shorewall on how to properly implement the firewall changes I’d like.

Sorry, I completely misunderstood.

You need a routed vpn like in the first post and use the VPN network instead of the LAN to make the rule work:

image