Problems with firewall between openvpn tunnel and roadwarrior


(Diego Marciano) #1

Hi dears,
I was dealing with nethserver configuration this last days, and I guess I found a bug on shorewall automatic configuration (I could be wrong, so feel free to correct me).

For some reason, all traffic between my openvpn tunnel and a roadwarrior client is beeing dropped by shorewall.

Wit the standard configuration (through the interface) there is not much I can do.

This is the firewall log:

10.0.17.1 is the tunnel gw (means the onprimise openvpn server that send the traffic to the cloud hoststed nethserver on 10.0.17.3), 10.0.18.6 is the roadwarrior client, before you ask me to do so, it cannot be β€œbridged” because we also use mobile devices (A.k.a. android phones and tablets) and those only support tun.

relevant interfaces:


Just as a curiosity, the problem seems to be just with the roadwarrior clients because if I ping the roadwarrior server from a terminal through the other side of the tunnel (network 192.168.25.0) there are not problems at all:
Shorewall show:

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 508 loc2fw all – br0 * 0.0.0.0/0 0.0.0.0/0
9962 929K net2fw all – eth0 * 0.0.0.0/0 0.0.0.0/0
340 30746 tun+_in all – tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 tap+_in all – tap+ * 0.0.0.0/0 0.0.0.0/0
370 82638 ACCEPT all – lo * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all – * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix β€œShorewall:INPUT:REJECT:”
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0 [goto]

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 loc_frwd all – br0 * 0.0.0.0/0 0.0.0.0/0
0 0 net_frwd all – eth0 * 0.0.0.0/0 0.0.0.0/0
682 60772 tun+_fwd all – tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 tap+_fwd all – tap+ * 0.0.0.0/0 0.0.0.0/0
0 0 ppp+_fwd all – ppp+ * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all – * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix β€œShorewall:FORWARD:REJECT:”
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0 [goto]

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 508 fw2loc all – * br0 0.0.0.0/0 0.0.0.0/0
1996 312K fw2net all – * eth0 0.0.0.0/0 0.0.0.0/0
484 34118 tun+_out all – * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 tap+_out all – * tap+ 0.0.0.0/0 0.0.0.0/0
370 82638 ACCEPT all – * lo 0.0.0.0/0 0.0.0.0/0
0 0 Reject all – * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix β€œShorewall:OUTPUT:REJECT:”
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0 [goto]

Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST

Chain Drop (3 references)
pkts bytes target prot opt in out source destination
7739 611K all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types /
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /
Needed ICMP types /
7739 611K Broadcast all – * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP udp – * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /
SMB /
0 0 DROP udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /
SMB /
0 0 DROP udp – * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /
SMB /
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /
SMB /
0 0 DROP udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /
UPnP /
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
0 0 DROP udp – * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /
Late DNS Replies */

Chain Reject (4 references)
pkts bytes target prot opt in out source destination
0 0 all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types /
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /
Needed ICMP types /
0 0 Broadcast all – * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 reject udp – * * 0.0.0.0/0 0.0.0.0/0 [goto] multiport dports 135,445 /
SMB /
0 0 reject udp – * * 0.0.0.0/0 0.0.0.0/0 [goto] udp dpts:137:139 /
SMB /
0 0 reject udp – * * 0.0.0.0/0 0.0.0.0/0 [goto] udp spt:137 dpts:1024:65535 /
SMB /
0 0 reject tcp – * * 0.0.0.0/0 0.0.0.0/0 [goto] multiport dports 135,139,445 /
SMB /
0 0 DROP udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /
UPnP /
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
0 0 DROP udp – * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /
Late DNS Replies */

Chain dynamic (9 references)
pkts bytes target prot opt in out source destination

Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 508 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
1988 311K ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
5 372 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /
DNS */
3 228 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain fw2ovpn (2 references)
pkts bytes target prot opt in out source destination
403 28712 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
81 5406 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 /* RULE#2 */

Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
2 508 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
2 508 smurfs all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
0 0 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping /
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 /
chronyd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /
dnsmasq /
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /
dnsmasq /
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /
dnsmasq /
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69 /
dnsmasq /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 /
ejabberd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5223 /
ejabberd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5280 /
ejabberd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /
httpd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /
httpd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:980 /
httpd-admin /
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 /
nmb /
2 508 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 /
nmb /
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:11194 /
openvpn@host-to-net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 /
smb /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 /
smb /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 /
sshd */
0 0 Reject all – * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix β€œShorewall:loc2fw:REJECT:”
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0 [goto]

Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ~log0 tcp – * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp dpt:25 /* block port 25 from green */
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain loc2ovpn (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain loc_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
0 0 smurfs all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp – * br0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
0 0 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * br0 0.0.0.0/0 0.0.0.0/0
0 0 loc2net all – * eth0 0.0.0.0/0 0.0.0.0/0
0 0 loc2ovpn all – * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 loc2ovpn all – * tap+ 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix β€œShorewall:logdrop:DROP:”
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain logflags (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix β€œShorewall:logflags:DROP:”
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix β€œShorewall:logreject:REJECT:”
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0

Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
9962 929K dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
7885 617K smurfs all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
2049 296K tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
2077 313K ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
107 3472 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 /
ejabberd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5223 /
ejabberd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5280 /
ejabberd /
1 40 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /
httpd /
37 1916 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /
httpd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:980 /
httpd-admin /
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:11194 /
openvpn@host-to-net /
1 52 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 /
sshd */
7739 611K Drop all – * * 0.0.0.0/0 0.0.0.0/0
7739 611K LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix β€œShorewall:net2fw:DROP:”
7739 611K DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 Drop all – * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix β€œShorewall:net2loc:DROP:”
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain net2ovpn (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 Drop all – * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix β€œShorewall:net2ovpn:DROP:”
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain net_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all – * eth0 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
0 0 smurfs all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
0 0 net2loc all – * br0 0.0.0.0/0 0.0.0.0/0
0 0 net2ovpn all – * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 net2ovpn all – * tap+ 0.0.0.0/0 0.0.0.0/0

Chain ovpn2fw (2 references)
pkts bytes target prot opt in out source destination
333 29840 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 906 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 /* RULE#3 */

Chain ovpn2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain ovpn2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain ovpn2ovpn (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 /* RULE#1 */

Chain ovpn_frwd (2 references)
pkts bytes target prot opt in out source destination
0 0 ovpn2loc all – * br0 0.0.0.0/0 0.0.0.0/0
0 0 ovpn2net all – * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ovpn2ovpn all – * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ovpn2ovpn all – * tap+ 0.0.0.0/0 0.0.0.0/0

Chain ppp+_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all – * ppp+ 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
0 0 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0

Chain reject (10 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST
0 0 DROP all – * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 – * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp – * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain sfilter (4 references)
pkts bytes target prot opt in out source destination
682 60772 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix β€œShorewall:sfilter:DROP:”
682 60772 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain sha-lh-0a077a9fd574df34cfcc (0 references)
pkts bytes target prot opt in out source destination

Chain sha-rh-f870bec8ec011c34548b (0 references)
pkts bytes target prot opt in out source destination

Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
0 0 all – * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255

Chain smurflog (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix β€œShorewall:smurfs:DROP:”
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain smurfs (4 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all – * * 0.0.0.0 0.0.0.0/0
0 0 smurflog all – * * 0.0.0.0/0 0.0.0.0/0 [goto] ADDRTYPE match src-type BROADCAST
0 0 smurflog all – * * 224.0.0.0/4 0.0.0.0/0 [goto]

Chain tap+_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all – * tap+ 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
0 0 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
0 0 ovpn_frwd all – * * 0.0.0.0/0 0.0.0.0/0

Chain tap+_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
0 0 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
0 0 ovpn2fw all – * * 0.0.0.0/0 0.0.0.0/0

Chain tap+_out (1 references)
pkts bytes target prot opt in out source destination
0 0 fw2ovpn all – * * 0.0.0.0/0 0.0.0.0/0

Chain tcpflags (9 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp – * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x3F/0x29
0 0 logflags tcp – * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x3F/0x00
0 0 logflags tcp – * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x06/0x06
0 0 logflags tcp – * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x05/0x05
0 0 logflags tcp – * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x03/0x03
0 0 logflags tcp – * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x19/0x09
0 0 logflags tcp – * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp spt:0 flags:0x17/0x02

Chain tun+_fwd (1 references)
pkts bytes target prot opt in out source destination
682 60772 sfilter all – * tun+ 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
0 0 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
0 0 ovpn_frwd all – * * 0.0.0.0/0 0.0.0.0/0

Chain tun+_in (1 references)
pkts bytes target prot opt in out source destination
340 30746 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
319 27960 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
340 30746 ovpn2fw all – * * 0.0.0.0/0 0.0.0.0/0

Chain tun+_out (1 references)
pkts bytes target prot opt in out source destination
484 34118 fw2ovpn all – * * 0.0.0.0/0 0.0.0.0/0

Chain ~log0 (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 /* block port 25 from green / LOG flags 0 level 6 prefix β€œShorewall:loc2net:REJECT:”
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0 /
block port 25 from green */

I’m a bit lost right now of how to workaround this issue as this the scenario es quite particular.


(Diego Marciano) #2

No one having the same problem?


(Diego Marciano) #3

Based on the information before I added two rules as a workaround to allow all traffic between both interfaces:

  1. iptables -I sfilter 1 -o tunopsoar_offic -i tunrw -j ACCEPT
  2. iptables -I sfilter 1 -o tunrw -i tunopsoar_offic -j ACCEPT

is there any way I can make this permanent on shorewall configuration?


NS based VPN net2net and RoadWarrior connection problems
(Markus Neuberger) #4

Hi @Diego_Marciano,

Here is something about sfilter in shorewall:

http://shorewall.net/manpages/shorewall-interfaces.html (search β€œsfilter=”)

This is about e-smith templating to make config permanent:

http://docs.nethserver.org/projects/nethserver-devel/en/latest/templates.html

Sorry, can’t test openvpn atm…


(Jeroen Visser) #5

I an running openVPN on a pfsense box. That works out of the box. I did have to grant traffic from the openvpn network into my main network.

Main had a default allow all out. And thus back as well. This sounds like your situation but is hard to judge from just the logs.

Is there a rule in place on the openvpn interface to allow the traffic you want, to pass ?


(Diego Marciano) #6

Yep, in this case the architecture is a bit weird, we have one nethserver called sv001 on premise, this one is the primary dc for our office, ad runs on 192.168.25.1 and server IP is 192.168.25.94 (runs dc, dhcp, dns, pbx), the gateway on that network is 192.168.25.254 (a mikrotik router used as a gateway) and runs an openvpn server.
On the cloud we have a server, called sv002.domain.com.ar that connects to the openvpn as a client, and a few static routes to connect to that server:

10.0.17.1 is the server, while the client ( the sv002 nethserver on the cloud) is assigned to 10.0.17.3.

This server is joined to the domain on premise through the cloud, and that’s because we run a couple of services there that should have the users auth against the domain controller on premise.

Also, the users connect as openvpn roadwarrior clients to the server on the cloud, and some of the services they use through go through the tunnel to the on premise services, this clients run on network 10.0.18.0/24.

So, for example, we could have a user that has to access 192.168.25.89 through the cloud based nethserver and the whole route would be something like:
10.0.18.6 (the client) -> 10.0.18.1 (cloud nethserver openvpn server, interface tunrw) -> 10.0.17.3 (cloud nethserver openvpn client, interface tunopsoar_offic) -> 10.0.17.1 (on-premise mikrotik openvpn server) -> 192.168.25.89

All the routes are in place, and in fact the only problem is the firewall that does not automatically creates the following entries (there are lots of rules that could be added to solve the issue, I just tackled the sfilter directly):
iptables -I sfilter 1 -o tunopsoar_offic -i tunrw -j ACCEPT
iptables -I sfilter 1 -i tunopsoar_offic -o tunrw -j ACCEPT

with those routes in place everything works, but I’m still figuring out what to touch on shorewall to get this done automatically and not with me touch each time something is saved.

EDIT:
I created a rule based on CIDR address ranges, and with the roles ovpn, but no luck with any of those.


(Diego Marciano) #7

Well, I tried this and it seems to work, I consider it a bit rude though:

I mean, I will be loosing some control over the vpn based rules with that, but that’s the best we have right now and was a good workaround :slight_smile:


(Diego Marciano) #8

Adding sauce to this story, another thing was that the event that creates/updates the static routes when the server was being restarted was called before starting the VPN leaving us without the routes till manually updated, so we created a custom template file to add the following to the tunnel client files:

With these two things combined we are up & running with everything being done automatically.

Just asking now, would it be better to provide a little more space for customization through the interface? Even with just it being just text, but that is probably much more intuitive than going to the OS .


(Jeroen Visser) #9

I would say yes, as exactly these things are why I am running PfSense and not trying to figure it out myself. Then again, I doubt Nethserver should want to try and replace Pf or Open Sense, and what it does out of the box, works quite nice for small setups.

You might want to move that template to /etc/e-smith/templates-custom/openvpn-tunnel-client/90custom
If the package gets updated, you lose your edits. If it is in /etc/e-smith/templates-custom/… it is untouched.


(Diego Marciano) #10

Yep, I do agree, still the central domain controller does a lot and in this case adding an extra cloud vps just to bridge between nethserver and the onpremise landscape was not really justified, I moved the template to the custom folder, thanks for that advice :slight_smile:


(Filippo Carletti) #11

I reproduced the problem, please give me some time to find a solution.


(Giordano) #12

are there any news?


(Filippo Carletti) #13

I’m sorry for not having given an update.
The fix is tricky and I have not found enough resources to work on it.
I’ll try to address it in the upcoming firewall release.