Shorewall block OpenVPN traffic out

NethServer Version: NethServer release 7.3.1611 (Final)
Module: OpenVPN vs Shorewall


When I connect over OpenVPN
my client loose the connection with the outside world

into the nethserver I found this; like Shorewall block my http queries
I also have similar message if I try to ping from my client.

Mar 2 23:45:29 maat kernel: Shorewall:ovpn2net:REJECT:IN=tunrw OUT=eth0 MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29313 DF PROTO=TCP SPT=35298 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0

Ironically DNS still able to resolv.

  • ping
    PING ( 56(84) bytes of data.
    From icmp_seq=1 Destination Host Unreachable
  • ping
    PING ( 56(84) bytes of data.
    64 bytes from icmp_seq=1 ttl=64 time=8.40 ms
    64 bytes from icmp_seq=2 ttl=64 time=8.55 ms
    64 bytes from icmp_seq=3 ttl=64 time=8.61 ms

####Others points might help to understand what i’m missing

  • the firewall rules was made by the installer
     green,red   firewall  openvpn@host-to-net

  • OpenVPN is Routed mode

  • Nethserver have a unique and only possible interface and is directly connected to the Internet

#####to be clear
laptop client ↔ the INTERNET ↔ Nethserver
I’m not on the same network and neither in the same physical place.

You’ll have to enable ‘route all traffic through vpn’ under the ‘advanced’ tab.


sadly I just forget to mention it
but this option is already active

Anyones have any idea ?

This VPN will be critical to be usable in 2weeks

make a firewall rule:
ALLOW vpn to red any (service)

this will allow vpn to internet traffic. Cheers.

1 Like

@JOduMonT does the proposed solution work for you?

Sadly not;

it is possible it’s because I just have one nic (green) card
and the VPN needs a red card ?

PS: I just have one nic.

I just recently posted exactly the same issue here: VPN no route to internet I will gladly join your search for a solution here.
1 green nic, vpn works, cant get out of the NS.

@filippo_carletti suggested to check “systemctl status shorewall”

Looks nominal. @JOduMonT could you check that on your end, too?

The last days I could not ping google. Today all of a sudden without any changes that seems to work. Still can not load any websites. Maybe DNS is not working?

Try with:
$ ping
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=53 time=46.3 ms

Then if you are using the web proxy check /var/log/squid/cache.log and /var/log/squid/access.log

Excuse me, I am obviously incompetent. When I am logged into the NS via ssh as root, of cource I can ping everything. From my ouside PC I still can not. No router, no Google, only the nethserver at home.

I am not using squid and there are no such log files listed in the server manager.

Your gateway must be wrong in the client configurations. That is really awkward.

I use a Fritzbox, which should be a name to anyone in Germany.
Tell me what to look for, please.

I’m sorry, but I can’t figure out your problem.
I connect via openvpn in the evening when I’m at home, I never had problems.
Could you please sen me the output of config show openvpn@host-to-net so that I can reproduce your setup?
Thank you.

There you go.

Hi, I think You should try this scenario for checking conectivity:
-check routes on vpn client pc and nethserver:

-check if dns works:
ping what response?
ping what response?

-check where ping goes:

-check sysctl net.ipv4.ip_forward gives You “1”

Maybe solution is bridged insteed of routed mode on nethserver if You have only one NIC but i didn’t check that.

But it seems the problem is similar to my problem from my forgotten post:

diagnose: GUI is not creating rules properly or I miss something, any help very appreciated.

Try to post output from:
shorewall show (the ovpn2net chain and related)

Bug found, thank you for your help.
You can fix it now, I will release an update tomorrow.

cp -p /etc/e-smith/templates/etc/openvpn/host-to-net.conf/00template_vars /etc/e-smith/templates/etc/shorewall/policy/
expand-template /etc/shorewall/policy
shorewall restart
1 Like

I don’t think I quit understood. But I will try anyway.

I did the following:

0% of success. :frowning:

Steps 6-8 were not necessary, you should have had it working after shorewall restart without disconnecting.
Now I’m completely lost. Could you please post /etc/shorewall/policy?

Here you go.

Chain ovpn2net (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  *      *              ctstate RELATED,ESTABLISHED
1580  101K ACCEPT     all  --  *      *              /* RULE#2 */