# OpenVPN with Shorewall can't ping

## LauPro

I have the following setup:

[Private subnet 10.1.0.0/24] - Server A with OpenVPN (public IP) - Internet - (public IP) Server B with Shorewall AND OpenVPN - [Internal private subnet 10.2.0.0/24]

When i activate Shorewall on server B i can't ping between Server A/B (the OpenVPN tun0). Without Shorewall everything works fine.

I use the following config:

/etc/shorewall/masq

```
tun+    eth2
```

/etc/shorewall/policy

```
fw      firewall

net     ipv4

loc     ipv4

vpn     ipv4
```

/etc/shorewall/zones

```
vpn     $FW     ACCEPT

vpn     loc     ACCEPT

vpn     net     ACCEPT

net     all     ACCEPT  info

all     all     ACCEPT  info
```

/etc/shorewall/interfaces

```
net     eth0            detect

loc     eth1           detect          dhcp

vpn     tun+
```

The log messages aren't helping for me (i can't see any OpenVPN traffic).

OpenVPN conf (client)

```

remote remoteserver.domain 5001  // or your VPN server's external IP if you have a fixed one

dev tun

ifconfig 10.3.10.2 10.3.10.1        // IP of the local tun device and its peer

secret /etc/openvpn/key.txt

comp-lzo

resolv-retry infinite

user nobody

group nobody

persist-key

persist-tun

ping 15

ping-restart 45

ping-timer-rem

route 10.1.0.0 255.255.0.0
```

And finally the tunnels file:

/etc/shorewall/tunnels

```

openvpn:5001    vpn     remoteserver.domain

```

Someone?

----------

## LauPro

Anyone? Also IPv6 tunnels over IPv4 have the same problem. When i activate Shorewall one time (and than it blocks the tunnel) i need to reboot to fix the tunnel.

----------

## Hu

Please post the output of iptables-save -c so that we can see the firewall rules that shorewall loaded.

----------

## LauPro

```
# Completed on Wed Dec 19 16:57:08 2007

# Generated by iptables-save v1.3.5 on Wed Dec 19 16:57:08 2007

*filter

:INPUT DROP [1:52]

:FORWARD DROP [1:48]

:OUTPUT DROP [0:0]

:Drop - [0:0]

:Reject - [0:0]

:all2all - [0:0]

:dropBcast - [0:0]

:dropInvalid - [0:0]

:dropNotSyn - [0:0]

:dynamic - [0:0]

:eth0_fwd - [0:0]

:eth0_in - [0:0]

:eth1_fwd - [0:0]

:eth1_in - [0:0]

:eth2_fwd - [0:0]

:eth2_in - [0:0]

:eth3_fwd - [0:0]

:eth3_in - [0:0]

:fw2loc - [0:0]

:fw2net - [0:0]

:fw2vpn - [0:0]

:loc2fw - [0:0]

:loc2net - [0:0]

:loc2vpn - [0:0]

:net2fw - [0:0]

:net2loc - [0:0]

:net2vpn - [0:0]

:reject - [0:0]

:shorewall - [0:0]

:smurfs - [0:0]

:tun0_fwd - [0:0]

:tun0_in - [0:0]

:vpn2fw - [0:0]

:vpn2loc - [0:0]

:vpn2net - [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth0 -j eth0_in

-A INPUT -i eth1 -j eth1_in

-A INPUT -i eth2 -j eth2_in

-A INPUT -i eth3 -j eth3_in

-A INPUT -i tun0 -j tun0_in

-A INPUT -j LOG --log-prefix "Shorewall:INPUT:ACCEPT:" --log-level 6

-A INPUT -j ACCEPT

-A FORWARD -i eth0 -j eth0_fwd

-A FORWARD -i eth1 -j eth1_fwd

-A FORWARD -i eth2 -j eth2_fwd

-A FORWARD -i eth3 -j eth3_fwd

-A FORWARD -i tun0 -j tun0_fwd

-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:ACCEPT:" --log-level 6

-A FORWARD -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -o eth2 -p udp -m udp --dport 67:68 -j ACCEPT

-A OUTPUT -o eth0 -m policy --dir out --pol none -j fw2net

-A OUTPUT -o eth1 -m policy --dir out --pol none -j fw2net

-A OUTPUT -o eth3 -m policy --dir out --pol none -j fw2net

-A OUTPUT -o eth2 -m policy --dir out --pol none -j fw2loc

-A OUTPUT -o tun0 -m policy --dir out --pol none -j fw2vpn

-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:ACCEPT:" --log-level 6

-A OUTPUT -j ACCEPT

-A Drop -p tcp -m tcp --dport 113 -j reject

-A Drop -j dropBcast

-A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT

-A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A Drop -j dropInvalid

-A Drop -p udp -m multiport --dports 135,445 -j DROP

-A Drop -p udp -m udp --dport 137:139 -j DROP

-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP

-A Drop -p tcp -m multiport --dports 135,139,445 -j DROP

-A Drop -p udp -m udp --dport 1900 -j DROP

-A Drop -p tcp -j dropNotSyn

-A Drop -p udp -m udp --sport 53 -j DROP

-A Reject -p tcp -m tcp --dport 113 -j reject

-A Reject -j dropBcast

-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT

-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A Reject -j dropInvalid

-A Reject -p udp -m multiport --dports 135,445 -j reject

-A Reject -p udp -m udp --dport 137:139 -j reject

-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject

-A Reject -p tcp -m multiport --dports 135,139,445 -j reject

-A Reject -p udp -m udp --dport 1900 -j DROP

-A Reject -p tcp -j dropNotSyn

-A Reject -p udp -m udp --sport 53 -j DROP

-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT

-A all2all -j LOG --log-prefix "Shorewall:all2all:ACCEPT:" --log-level 6

-A all2all -j ACCEPT

-A dropBcast -m pkttype --pkt-type broadcast -j DROP

-A dropBcast -m pkttype --pkt-type multicast -j DROP

-A dropInvalid -m state --state INVALID -j DROP

-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

-A eth0_fwd -m state --state INVALID,NEW -j dynamic

-A eth0_fwd -o eth1 -m policy --dir out --pol none -j ACCEPT

-A eth0_fwd -o eth3 -m policy --dir out --pol none -j ACCEPT

-A eth0_fwd -o eth2 -m policy --dir out --pol none -j net2loc

-A eth0_fwd -o tun0 -m policy --dir out --pol none -j net2vpn

-A eth0_in -m state --state INVALID,NEW -j dynamic

-A eth0_in -m policy --dir in --pol none -j net2fw

-A eth1_fwd -m state --state INVALID,NEW -j dynamic

-A eth1_fwd -o eth0 -m policy --dir out --pol none -j ACCEPT

-A eth1_fwd -o eth3 -m policy --dir out --pol none -j ACCEPT

-A eth1_fwd -o eth2 -m policy --dir out --pol none -j net2loc

-A eth1_fwd -o tun0 -m policy --dir out --pol none -j net2vpn

-A eth1_in -m state --state INVALID,NEW -j dynamic

-A eth1_in -m policy --dir in --pol none -j net2fw

-A eth2_fwd -m state --state INVALID,NEW -j dynamic

-A eth2_fwd -o eth0 -m policy --dir out --pol none -j loc2net

-A eth2_fwd -o eth1 -m policy --dir out --pol none -j loc2net

-A eth2_fwd -o eth3 -m policy --dir out --pol none -j loc2net

-A eth2_fwd -o tun0 -m policy --dir out --pol none -j loc2vpn

-A eth2_in -m state --state INVALID,NEW -j dynamic

-A eth2_in -p udp -m udp --dport 67:68 -j ACCEPT

-A eth2_in -m policy --dir in --pol none -j loc2fw

-A eth3_fwd -m state --state INVALID,NEW -j dynamic

-A eth3_fwd -o eth0 -m policy --dir out --pol none -j ACCEPT

-A eth3_fwd -o eth1 -m policy --dir out --pol none -j ACCEPT

-A eth3_fwd -o eth2 -m policy --dir out --pol none -j net2loc

-A eth3_fwd -o tun0 -m policy --dir out --pol none -j net2vpn

-A eth3_in -m state --state INVALID,NEW -j dynamic

-A eth3_in -m policy --dir in --pol none -j net2fw

-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT

-A fw2loc -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A fw2loc -p tcp -m tcp --dport 22 -j ACCEPT

-A fw2loc -p udp -m udp --dport 53 -j ACCEPT

-A fw2loc -p tcp -m tcp --dport 53 -j ACCEPT

-A fw2loc -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A fw2loc -p udp -m udp --dport 5001 -j ACCEPT

-A fw2loc -p udp -m udp --sport 5001 -j ACCEPT

-A fw2loc -j all2all

-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT

-A fw2net -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A fw2net -p tcp -m tcp --dport 22 -j ACCEPT

-A fw2net -p udp -m udp --dport 53 -j ACCEPT

-A fw2net -p tcp -m tcp --dport 53 -j ACCEPT

-A fw2net -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A fw2net -p udp -m udp --dport 5001 -j ACCEPT

-A fw2net -p udp -m udp --sport 5001 -j ACCEPT

-A fw2net -d 213.239.183.75 -p udp -m udp --dport 5001 -j ACCEPT

-A fw2net -d 213.239.183.75 -p tcp -m tcp --dport 5001 -j ACCEPT

-A fw2net -j all2all

-A fw2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT

-A fw2vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A fw2vpn -p tcp -m tcp --dport 22 -j ACCEPT

-A fw2vpn -p udp -m udp --dport 53 -j ACCEPT

-A fw2vpn -p tcp -m tcp --dport 53 -j ACCEPT

-A fw2vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A fw2vpn -p udp -m udp --dport 5001 -j ACCEPT

-A fw2vpn -p udp -m udp --sport 5001 -j ACCEPT

-A fw2vpn -j all2all

-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT

-A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A loc2fw -p tcp -m tcp --dport 22 -j ACCEPT

-A loc2fw -p udp -m udp --dport 53 -j ACCEPT

-A loc2fw -p tcp -m tcp --dport 53 -j ACCEPT

-A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A loc2fw -p udp -m udp --dport 5001 -j ACCEPT

-A loc2fw -p udp -m udp --sport 5001 -j ACCEPT

-A loc2fw -j all2all

-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT

-A loc2net -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A loc2net -p tcp -m tcp --dport 22 -j ACCEPT

-A loc2net -p udp -m udp --dport 53 -j ACCEPT

-A loc2net -p tcp -m tcp --dport 53 -j ACCEPT

-A loc2net -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A loc2net -p udp -m udp --dport 5001 -j ACCEPT

-A loc2net -p udp -m udp --sport 5001 -j ACCEPT

-A loc2net -j all2all

-A loc2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT

-A loc2vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A loc2vpn -p tcp -m tcp --dport 22 -j ACCEPT

-A loc2vpn -p udp -m udp --dport 53 -j ACCEPT

-A loc2vpn -p tcp -m tcp --dport 53 -j ACCEPT

-A loc2vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A loc2vpn -p udp -m udp --dport 5001 -j ACCEPT

-A loc2vpn -p udp -m udp --sport 5001 -j ACCEPT

-A loc2vpn -j all2all

-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT

-A net2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A net2fw -p tcp -m tcp --dport 22 -j ACCEPT

-A net2fw -p udp -m udp --dport 53 -j ACCEPT

-A net2fw -p tcp -m tcp --dport 53 -j ACCEPT

-A net2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A net2fw -p udp -m udp --dport 5001 -j ACCEPT

-A net2fw -p udp -m udp --sport 5001 -j ACCEPT

-A net2fw -s 213.239.183.75 -p udp -m udp --dport 5001 -j ACCEPT

-A net2fw -s 213.239.183.75 -p tcp -m tcp --dport 5001 -j ACCEPT

-A net2fw -j all2all

-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT

-A net2loc -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A net2loc -p tcp -m tcp --dport 22 -j ACCEPT

-A net2loc -p udp -m udp --dport 53 -j ACCEPT

-A net2loc -p tcp -m tcp --dport 53 -j ACCEPT

-A net2loc -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A net2loc -p udp -m udp --dport 5001 -j ACCEPT

-A net2loc -p udp -m udp --sport 5001 -j ACCEPT

-A net2loc -j all2all

-A net2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT

-A net2vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A net2vpn -p tcp -m tcp --dport 22 -j ACCEPT

-A net2vpn -p udp -m udp --dport 53 -j ACCEPT

-A net2vpn -p tcp -m tcp --dport 53 -j ACCEPT

-A net2vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A net2vpn -p udp -m udp --dport 5001 -j ACCEPT

-A net2vpn -p udp -m udp --sport 5001 -j ACCEPT

-A net2vpn -j all2all

-A reject -m pkttype --pkt-type broadcast -j DROP

-A reject -m pkttype --pkt-type multicast -j DROP

-A reject -s 192.168.1.255 -j DROP

-A reject -s 192.168.2.255 -j DROP

-A reject -s 10.3.11.255 -j DROP

-A reject -s 255.255.255.255 -j DROP

-A reject -s 224.0.0.0/240.0.0.0 -j DROP

-A reject -p tcp -j REJECT --reject-with tcp-reset

-A reject -p udp -j REJECT --reject-with icmp-port-unreachable

-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable

-A reject -j REJECT --reject-with icmp-host-prohibited

-A smurfs -s 192.168.1.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6

-A smurfs -s 192.168.1.255 -j DROP

-A smurfs -s 192.168.2.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6

-A smurfs -s 192.168.2.255 -j DROP

-A smurfs -s 10.3.11.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6

-A smurfs -s 10.3.11.255 -j DROP

-A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6

-A smurfs -s 255.255.255.255 -j DROP

-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6

-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP

-A tun0_fwd -m state --state INVALID,NEW -j dynamic

-A tun0_fwd -o eth0 -m policy --dir out --pol none -j vpn2net

-A tun0_fwd -o eth1 -m policy --dir out --pol none -j vpn2net

-A tun0_fwd -o eth3 -m policy --dir out --pol none -j vpn2net

-A tun0_fwd -o eth2 -m policy --dir out --pol none -j vpn2loc

-A tun0_in -m state --state INVALID,NEW -j dynamic

-A tun0_in -m policy --dir in --pol none -j vpn2fw

-A vpn2fw -m state --state RELATED,ESTABLISHED -j ACCEPT

-A vpn2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A vpn2fw -p tcp -m tcp --dport 22 -j ACCEPT

-A vpn2fw -p udp -m udp --dport 53 -j ACCEPT

-A vpn2fw -p tcp -m tcp --dport 53 -j ACCEPT

-A vpn2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A vpn2fw -p udp -m udp --dport 5001 -j ACCEPT

-A vpn2fw -p udp -m udp --sport 5001 -j ACCEPT

-A vpn2fw -j all2all

-A vpn2loc -m state --state RELATED,ESTABLISHED -j ACCEPT

-A vpn2loc -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A vpn2loc -p tcp -m tcp --dport 22 -j ACCEPT

-A vpn2loc -p udp -m udp --dport 53 -j ACCEPT

-A vpn2loc -p tcp -m tcp --dport 53 -j ACCEPT

-A vpn2loc -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A vpn2loc -p udp -m udp --dport 5001 -j ACCEPT

-A vpn2loc -p udp -m udp --sport 5001 -j ACCEPT

-A vpn2loc -j ACCEPT

-A vpn2net -m state --state RELATED,ESTABLISHED -j ACCEPT

-A vpn2net -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A vpn2net -p tcp -m tcp --dport 22 -j ACCEPT

-A vpn2net -p udp -m udp --dport 53 -j ACCEPT

-A vpn2net -p tcp -m tcp --dport 53 -j ACCEPT

-A vpn2net -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A vpn2net -p udp -m udp --dport 5001 -j ACCEPT

-A vpn2net -p udp -m udp --sport 5001 -j ACCEPT

-A vpn2net -j ACCEPT

COMMIT

# Completed on Wed Dec 19 16:57:08 2007
```

Hmm, but the problem stills exists even when i shutdown Shorewall. The VPN works first, but when i start Shorewall once (!), i need to reboot the server to fix the connection. Even iptables -F doesn't work.

The config is some bit different here:

eth0, eth1,(eth3): internet connections

eth2: local network

tun0: vpn

----------

## LauPro

I've also tried this one from http://openvpn.net/faq.html

```
# Allow TUN interface connections to OpenVPN server

iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces

iptables -A FORWARD -i tun+ -j ACCEPT

# Allow TAP interface connections to OpenVPN server

iptables -A INPUT -i tap+ -j ACCEPT

# Allow TAP interface connections to be forwarded through other interfaces

iptables -A FORWARD -i tap+ -j ACCEPT
```

Still no ping.

edit: 

# nc -u server.service.net 5001

This works, so it is not a block of VPN traffic.

----------

## Hu

 *LauPro wrote:*   

> Hmm, but the problem stills exists even when i shutdown Shorewall. The VPN works first, but when i start Shorewall once (!), i need to reboot the server to fix the connection. Even iptables -F doesn't work.
> 
> 

 

That sounds very bad.  Could you collect the output of iptables-save -c at three points and post the three samples?  First, run it when OpenVPN is running and Shorewall has not been started at all during this boot.  Then start Shorewall and run iptables-save -c again.  Finally, stop Shorewall and run iptables -F, but do not reboot.  Then run iptables-save -c a third time.  If I understand correctly, the output you posted above is from the second sample.  There is no need to repost that if what you posted matches one of these three samples.  I want to compare the state of the rules to see why stopping Shorewall and flushing the table does not restore connectivity.

Also, if possible, please collect a packet capture of the ICMP message which is being blocked by the Shorewall configuration.  Packet captures are done before netfilter processes packets, so you can see blocked traffic in the capture.  I would like to see the IP headers of the message to identify which rules should be matching it.  Also, since net-analyzer/tcpdump defaults to capturing on only one interface at a time, this will verify that the ICMP message is arriving over the tun0 interface.  Run tcpdump as tcpdump -p -n -v -i tun0 icmp.

----------

## LauPro

Ok, i've found the problem.

When I add entries in /etc/shorewall/providers file the VPN doesn't work, when these are uncommented it works (even with Shorewall on or restarted (version 3.0.8 btw)).

So the problem lies in the load balanced provider thing.

----------

