Shorewall block OpenVPN traffic out

NethServer Version: NethServer release 7.3.1611 (Final)
Module: OpenVPN vs Shorewall

Hi;

When I connect over OpenVPN
my client loose the connection with the outside world

into the nethserver I found this; like Shorewall block my http queries
I also have similar message if I try to ping from my client.

Mar 2 23:45:29 maat kernel: Shorewall:ovpn2net:REJECT:IN=tunrw OUT=eth0 MAC= SRC=10.10.10.6 DST=95.100.49.183 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29313 DF PROTO=TCP SPT=35298 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0

Ironically DNS still able to resolv.

  • ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    From 10.10.10.1 icmp_seq=1 Destination Host Unreachable
  • ping 10.10.10.1
    PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
    64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=8.40 ms
    64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=8.55 ms
    64 bytes from 10.10.10.1: icmp_seq=3 ttl=64 time=8.61 ms

####Others points might help to understand what iā€™m missing

  • the firewall rules was made by the installer
    ļ€‰ green,red ļ…ø ļ­ firewall ļ‡› openvpn@host-to-net

  • OpenVPN is Routed mode

  • Nethserver have a unique and only possible interface and is directly connected to the Internet

#####to be clear
laptop client ā†” the INTERNET ā†” Nethserver
Iā€™m not on the same network and neither in the same physical place.

Youā€™ll have to enable ā€˜route all traffic through vpnā€™ under the ā€˜advancedā€™ tab.

ā€“
Tony

sadly I just forget to mention it
but this option is already active

Anyones have any idea ?

This VPN will be critical to be usable in 2weeks

Hi,
make a firewall rule:
ALLOW vpn to red any (service)

this will allow vpn to internet traffic. Cheers.

1 Like

@JOduMonT does the proposed solution work for you?

Sadly not;

it is possible itā€™s because I just have one nic (green) card
and the VPN needs a red card ?

PS: I just have one nic.

I just recently posted exactly the same issue here: VPN no route to internet I will gladly join your search for a solution here.
1 green nic, vpn works, cant get out of the NS.

@filippo_carletti suggested to check ā€œsystemctl status shorewallā€

Looks nominal. @JOduMonT could you check that on your end, too?

The last days I could not ping google. Today all of a sudden without any changes that seems to work. Still can not load any websites. Maybe DNS is not working?

Try with:
$ ping nethserver.org
PING nethserver.org (188.226.251.154) 56(84) bytes of data.
64 bytes from www.nethserver.org (188.226.251.154): icmp_seq=1 ttl=53 time=46.3 ms

Then if you are using the web proxy check /var/log/squid/cache.log and /var/log/squid/access.log

Excuse me, I am obviously incompetent. When I am logged into the NS via ssh as root, of cource I can ping everything. From my ouside PC I still can not. No router, no Google, only the nethserver at home.

I am not using squid and there are no such log files listed in the server manager.

Your gateway must be wrong in the client configurations. That is really awkward.

I use a Fritzbox, which should be a name to anyone in Germany.
Tell me what to look for, please.

Iā€™m sorry, but I canā€™t figure out your problem.
I connect via openvpn in the evening when Iā€™m at home, I never had problems.
Could you please sen me the output of config show openvpn@host-to-net so that I can reproduce your setup?
Thank you.

There you go.

Hi, I think You should try this scenario for checking conectivity:
-check routes on vpn client pc and nethserver:
route

-check if dns works:
ping 188.226.251.154 what response?
ping nethserver.org what response?

-check where ping goes:
mtr nethserver.org
mtr188.226.251.154

-check sysctl net.ipv4.ip_forward gives You ā€œ1ā€

Maybe solution is bridged insteed of routed mode on nethserver if You have only one NIC but i didnā€™t check that.

But it seems the problem is similar to my problem from my forgotten post:

diagnose: GUI is not creating rules properly or I miss something, any help very appreciated.

Try to post output from:
shorewall show (the ovpn2net chain and related)

Bug found, thank you for your help.
You can fix it now, I will release an update tomorrow.
Run:

cp -p /etc/e-smith/templates/etc/openvpn/host-to-net.conf/00template_vars /etc/e-smith/templates/etc/shorewall/policy/
expand-template /etc/shorewall/policy
shorewall restart
1 Like

I donā€™t think I quit understood. But I will try anyway.

I did the following:

0% of success. :frowning:

Steps 6-8 were not necessary, you should have had it working after shorewall restart without disconnecting.
Now Iā€™m completely lost. Could you please post /etc/shorewall/policy?

Here you go.

Chain ovpn2net (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
1580  101K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* RULE#2 */