[Shorewall-users] Simple OpenVPN setup, what am I missing?

tufkal tufkal at granola.mine.nu
Mon Jun 16 01:30:44 PDT 2003


I am a technician at a local computer repair shop.  We have 2 stores
both with broadband Internet. Public IPs changed for obvious reasons.

Main Store :    10.10.10.x network
                1.2.3.4 public IP

Branch Store :  192.168.1.x network
                5.6.7.8 public IP

I just setup both stores with a Mandrake Linux router, replacing some
Linksys ones that had issues.  It's just a bigger uglier router unless I
can get a VPN tunnel from one to the other done.  So heres what I did.




Main Store
----------
/etc/shorewall/zones -> added 'vpn      VPN     Remote Subnet'
/etc/shorewall/interfaces -> added 'vpn      tun0      192.168.1.255'
/etc/shorewall/tunnels -> added 'openvpn      net     5.6.7.8'
/etc/shorewall/policy -> added 'masq vpn ACCEPT' and 'vpn masq ACCEPT'
/etc/shorewall/policy -> added 'fw vpn ACCEPT' and 'vpn fw ACCEPT'

openvpn --remote 5.6.7.8 --dev tun --ifconfig 192.168.99.2 192.168.99.1
--verb 9
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.99.1




Branch Store
------------
/etc/shorewall/zones -> added 'vpn      VPN     Remote Subnet'
/etc/shorewall/interfaces -> added 'vpn      tun0      10.10.10.255'
/etc/shorewall/tunnels -> added 'openvpn      net     1.2.3.4'
/etc/shorewall/policy -> added 'masq vpn ACCEPT' and 'vpn masq ACCEPT'
/etc/shorewall/policy -> added 'fw vpn ACCEPT' and 'vpn fw ACCEPT'

openvpn --remote 1.2.3.4 --dev tun --ifconfig 192.168.99.2 192.168.99.1
--verb 9
route add -net 10.10.10.0 netmask 255.255.255.0 gw 192.168.99.2

***********************************************************************

This setup kinda works.  Once turned on, the router at the main store
can ping all the stuff in the branch store.  And the router in the
branch store can ping all the stuff in the main store.  The tunnel is
working! YAY :)

But, none of the PCs behind the router can see through the tunnel.  The
router is the only one that can see through it.  Since the tunnel seems
to be working I think my shorewall configuration is to blame, anyone got
an idea to try?



More information about the Shorewall-users mailing list