Shorewall block OpenVPN traffic out

JOduMonT · March 2, 2017, 11:26pm

NethServer Version: NethServer release 7.3.1611 (Final)
Module: OpenVPN vs Shorewall

Hi;

When I connect over OpenVPN
my client loose the connection with the outside world

into the nethserver I found this; like Shorewall block my http queries
I also have similar message if I try to ping from my client.

Mar 2 23:45:29 maat kernel: Shorewall:ovpn2net:REJECT:IN=tunrw OUT=eth0 MAC= SRC=10.10.10.6 DST=95.100.49.183 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29313 DF PROTO=TCP SPT=35298 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0

Ironically DNS still able to resolv.

ping www.com
PING www.com (69.172.201.208) 56(84) bytes of data.

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Destination Host Unreachable

ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=8.40 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=8.55 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=64 time=8.61 ms

####Others points might help to understand what i’m missing

the firewall rules was made by the installer
 green,red   firewall  openvpn@host-to-net
OpenVPN is Routed mode
Nethserver have a unique and only possible interface and is directly connected to the Internet

#####to be clear
laptop client <–> the INTERNET <–> Nethserver
I’m not on the same network and neither in the same physical place.

tboston · March 3, 2017, 6:57am

You’ll have to enable ‘route all traffic through vpn’ under the ‘advanced’ tab.

–
Tony

JOduMonT · March 3, 2017, 10:46am

sadly I just forget to mention it
but this option is already active

JOduMonT · March 3, 2017, 2:33pm

Anyones have any idea ?

This VPN will be critical to be usable in 2weeks

dj_marian · March 3, 2017, 4:37pm

Hi,
make a firewall rule:
ALLOW vpn to red any (service)

this will allow vpn to internet traffic. Cheers.

giacomo · March 8, 2017, 3:38pm

@JOduMonT does the proposed solution work for you?

JOduMonT · March 8, 2017, 10:16pm

Sadly not;

it is possible it’s because I just have one nic (green) card
and the VPN needs a red card ?

PS: I just have one nic.

Simplimus · March 9, 2017, 11:39am

I just recently posted exactly the same issue here: VPN no route to internet I will gladly join your search for a solution here.
1 green nic, vpn works, cant get out of the NS.

@filippo_carletti suggested to check “systemctl status shorewall”

Looks nominal. @JOduMonT could you check that on your end, too?

The last days I could not ping google. Today all of a sudden without any changes that seems to work. Still can not load any websites. Maybe DNS is not working?

filippo_carletti · March 9, 2017, 11:58am

Try with:
$ ping nethserver.org
PING nethserver.org (188.226.251.154) 56(84) bytes of data.
64 bytes from www.nethserver.org (188.226.251.154): icmp_seq=1 ttl=53 time=46.3 ms

Then if you are using the web proxy check /var/log/squid/cache.log and /var/log/squid/access.log

Simplimus · March 9, 2017, 12:20pm

Excuse me, I am obviously incompetent. When I am logged into the NS via ssh as root, of cource I can ping everything. From my ouside PC I still can not. No router, no Google, only the nethserver at home.

I am not using squid and there are no such log files listed in the server manager.

ssabbath · March 9, 2017, 1:03pm

Your gateway must be wrong in the client configurations. That is really awkward.

Simplimus · March 9, 2017, 1:04pm

I use a Fritzbox, which should be a name to anyone in Germany.
Tell me what to look for, please.

filippo_carletti · March 9, 2017, 1:34pm

I’m sorry, but I can’t figure out your problem.
I connect via openvpn in the evening when I’m at home, I never had problems.
Could you please sen me the output of config show openvpn@host-to-net so that I can reproduce your setup?
Thank you.

Simplimus · March 9, 2017, 3:08pm

There you go.

dj_marian · March 9, 2017, 4:37pm

Hi, I think You should try this scenario for checking conectivity:
-check routes on vpn client pc and nethserver:
route

-check if dns works:
ping 188.226.251.154 what response?
ping nethserver.org what response?

-check where ping goes:
mtr nethserver.org
mtr188.226.251.154

-check sysctl net.ipv4.ip_forward gives You “1”

Maybe solution is bridged insteed of routed mode on nethserver if You have only one NIC but i didn’t check that.

But it seems the problem is similar to my problem from my forgotten post:

diagnose: GUI is not creating rules properly or I miss something, any help very appreciated.

Try to post output from:
shorewall show (the ovpn2net chain and related)

filippo_carletti · March 9, 2017, 10:37pm

Bug found, thank you for your help.
You can fix it now, I will release an update tomorrow.
Run:

cp -p /etc/e-smith/templates/etc/openvpn/host-to-net.conf/00template_vars /etc/e-smith/templates/etc/shorewall/policy/
expand-template /etc/shorewall/policy
shorewall restart

Simplimus · March 10, 2017, 7:12am

I don’t think I quit understood. But I will try anyway.

I did the following:

0% of success.

filippo_carletti · March 10, 2017, 7:21am

Steps 6-8 were not necessary, you should have had it working after shorewall restart without disconnecting.
Now I’m completely lost. Could you please post /etc/shorewall/policy?

Simplimus · March 10, 2017, 7:29am

Here you go.

cat /etc/shorewall/policy:

Manual changes will be lost when this file is regenerated.

Please read the developer’s guide, which is available

at https://dev.nethesis.it/projects/nethserver/wiki/NethServer

original work from http://www.contribs.org/development/

Copyright © 2013 Nethesis S.r.l.

http://www.nethesis.it - support@nethesis.it

Shorewall version 4 - Policy File

For information about entries in this file, type “man shorewall-policy”

The manpage is also online at

http://www.shorewall.net/manpages/shorewall-policy.html

###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:

LEVEL BURST MASK

20policy

loc net ACCEPT

firewall can always connect outside

$FW net ACCEPT

Traffic from firewall to local network is always allowed

$FW loc ACCEPT

20policy_openvpn

loc ovpn ACCEPT
ovpn loc ACCEPT
ovpn $FW ACCEPT
$FW ovpn ACCEPT
ovpn net ACCEPT

30policy_extra_zones

40policy_static

loc $FW REJECT info

Drop traffic from external interface to firewall and local network

net $FW DROP info
net loc DROP info

Drop all other traffic from external interface

net all DROP info

90reject all

THE FOLLOWING POLICY MUST BE LAST

all all REJECT info

Simplimus · March 10, 2017, 7:35am

Chain ovpn2net (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
1580  101K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* RULE#2 */