# [Solved] Configure Shorewall when using it with OpenVPN

## solamour

```
 Laptop

[192.168.1.203]

   |

   |

[eth1 192.168.1.254]

 MachineA

[tun0 10.8.0.6]

   |

   |

[tun0 10.8.0.1]

 MachineB

[eth0 24.x.x.x]

   |

   |

 Internet

```

Here is the current status.

* "Laptop" can ping "MachineA".

* "MachineA" is connected to "MachineB" via OpenVPN and can ping "MachineB".

* "MachineA" can also go outside to Internet as well.

Now I'd like "Laptop" to access Internet (going though MachineA and MachineB), and I'm not sure how to I configure MachineA. A working example of Shorewall setting would be great, but anything related would be helpful as well. Thank you.

__

solLast edited by solamour on Sun Feb 27, 2011 7:49 pm; edited 3 times in total

----------

## richard.scott

Does MachineA run OpenVPN?

If so, edit your /etc/shorewall/masq file and change it to this:

```
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC

tun0                    192.168.1.0/24

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
```

This may help... I'm not sure about natting over the tun0 interface tho.

Rich

----------

## solamour

MachineA runs OpenVPN as a client, and MachineB as a server. For the time being, I wanted to see whether it works or not instead of concerning too much about the security, so I set MachineA's Shorewall as the following.

```
/etc/shorewall/interfaces

net   eth0   detect   dhcp,tcpflags,routefilter,nosmurfs,logmartians

loc   eth1   detect   tcpflags,detectnets,nosmurfs

vpn   tun0

/etc/shorewall/masq

tun0  192.168.1.0/24

/etc/shorewall/policy

all   all   ACCEPT

/etc/shorewall/rules

SECTION NEW

/etc/shorewall/zones

fw    firewall

net   ipv4

loc   ipv4

vpn   ipv4

```

One thing that I noticed is that when I ping MachineB from MachineA, I see packets going back and forth in MachineA's eth0 (the one that goes outside, not the one that is connected to "Laptop") and tun0. But when I ping MachineB from Laptop, I think the packets are not passed to tun0.

Here is the routing table in MachineA.

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0

10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0

24.x.x.x  10.195.32.1     255.255.255.255 UGH   0      0        0 eth0

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

10.195.32.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0

128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0

0.0.0.0         10.195.32.1     0.0.0.0         UG    0      0        0 eth0

```

__

sol

----------

## richard.scott

perhaps you need a route on machine B routing 192.168.1.0/24 back to machine A?

----------

## solamour

It turned out that MachineA wasn't on its own; it was housed as a virtual machine sharing the network interface with its host machine. I'm not sure that has anything to do with the problem I was having, but at least when MachineA was put into an "actual" machine, everything worked as expected (i.e. Laptop can go outside to the Internet through MachineA and MachineB which are connected via OpenVPN).

Thanks everyone for suggestions.

__

sol

----------

