Shorewall block OpenVPN traffic out

sadly I just forget to mention it
but this option is already active

Anyones have any idea ?

This VPN will be critical to be usable in 2weeks

make a firewall rule:
ALLOW vpn to red any (service)

this will allow vpn to internet traffic. Cheers.

1 Like

@JOduMonT does the proposed solution work for you?

Sadly not;

it is possible it’s because I just have one nic (green) card
and the VPN needs a red card ?

PS: I just have one nic.

I just recently posted exactly the same issue here: VPN no route to internet I will gladly join your search for a solution here.
1 green nic, vpn works, cant get out of the NS.

@filippo_carletti suggested to check “systemctl status shorewall”

Looks nominal. @JOduMonT could you check that on your end, too?

The last days I could not ping google. Today all of a sudden without any changes that seems to work. Still can not load any websites. Maybe DNS is not working?

Try with:
$ ping
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=53 time=46.3 ms

Then if you are using the web proxy check /var/log/squid/cache.log and /var/log/squid/access.log

Excuse me, I am obviously incompetent. When I am logged into the NS via ssh as root, of cource I can ping everything. From my ouside PC I still can not. No router, no Google, only the nethserver at home.

I am not using squid and there are no such log files listed in the server manager.

Your gateway must be wrong in the client configurations. That is really awkward.

I use a Fritzbox, which should be a name to anyone in Germany.
Tell me what to look for, please.

I’m sorry, but I can’t figure out your problem.
I connect via openvpn in the evening when I’m at home, I never had problems.
Could you please sen me the output of config show openvpn@host-to-net so that I can reproduce your setup?
Thank you.

There you go.

Hi, I think You should try this scenario for checking conectivity:
-check routes on vpn client pc and nethserver:

-check if dns works:
ping what response?
ping what response?

-check where ping goes:

-check sysctl net.ipv4.ip_forward gives You “1”

Maybe solution is bridged insteed of routed mode on nethserver if You have only one NIC but i didn’t check that.

But it seems the problem is similar to my problem from my forgotten post:

diagnose: GUI is not creating rules properly or I miss something, any help very appreciated.

Try to post output from:
shorewall show (the ovpn2net chain and related)

Bug found, thank you for your help.
You can fix it now, I will release an update tomorrow.

cp -p /etc/e-smith/templates/etc/openvpn/host-to-net.conf/00template_vars /etc/e-smith/templates/etc/shorewall/policy/
expand-template /etc/shorewall/policy
shorewall restart
1 Like

I don’t think I quit understood. But I will try anyway.

I did the following:

0% of success. :frowning:

Steps 6-8 were not necessary, you should have had it working after shorewall restart without disconnecting.
Now I’m completely lost. Could you please post /etc/shorewall/policy?

Here you go.

Chain ovpn2net (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  *      *              ctstate RELATED,ESTABLISHED
1580  101K ACCEPT     all  --  *      *              /* RULE#2 */

Everything seems in order.
Can you show the output of traceroute/tracert to

Did it. Results as expected. Sorry, it’s in german, but you will get the gist.