Configuring Shorewall for routed OpenVPN

I have an Ubuntu server 14.04 machine that serves as a NAT router. The routing is achieved using Shorewall, mostly in line with this tutorial. The LAN has the subnet 10.0.0.0/24

On this machine I also want to run an OpenVPN server, which listens on port 1194 (udp). Clients connecting to this VPN (from the internet) should find themselves in the 10.34.56.0/24 subnet. Hosts in the VPN subnet should be able to reach hosts in the LAN subnet, with both udp and tcp connections. Also, hosts in the VPN subnet should be able to access the internet through my server (masqueraded).

My question is: How do I configure Shorewall to make this happen?
a) Connecing VPN clients should get an answer from the OpenVPN server
b) Hosts in the VPN subnet should be able to access the internet


My /etc/shorewall/rules contains a line that opens the OpenVPN server's port for incoming VPN connections

#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE 
#                                               PORT    PORT(S)
# listen for VPN on net
ACCEPT          net             $FW             udp     1194

I have tried using a /etc/shorewall/tunnels file, like this page suggests, but to no avail. I also tried translating the /etc/shorewall/tunnels file into /etc/shorewall/rules, as per this page, but this was also unsuccessful. All I ever get is a timeout while setting up the connection.


Some more shorewall config files of mine:

My /etc/shorewall/interfaces

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     p10p1           detect          #...
loc     eth1            detect          #...
vpn     tun+

My /etc/shorewall/zones

#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4
vpn     ipv4

My /etc/shorewall/masq

#INTERFACE:DEST         SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/   SWITCH  ORIGINAL
#                                                                                       GROUP           DEST
p10p1                   10.0.0.0/24

Solution 1:

Try change the rule:

ACCEPT          net             $FW             udp     1194

To be :

ACCEPT:info          net             $FW             udp     1194

Then tail the /var/log/syslog file to see if the connection is started.

Make sure you /etc/shorewall/policy file has a section to allow VPN to LOC and LOC to VPN:

loc       vpn         ACCEPT
vpn       loc         ACCEPT

... or rules in the /etc/shorewall/rules file to allow loc to vpn and vpn to loc.

ACCEPT         loc       vpn
ACCEPT         vpn       loc

And your /etc/shorewall/tunnels file should have this in it:

openvpnserver:1194      net     0.0.0.0/0

If all that is setup and working, you may have a problem with the openvpn configuration. Here is an example of my configuration, with changes to match your configuration.

# General Options
local your.public.ip
dev tun0
proto udp
port 1194
topology subnet
client-config-dir /etc/openvpn/ccd

# Certificate locations
ca /etc/openvpn/easyrsa/keys/ca.crt
cert /etc/openvpn/easyrsa/keys/gateway.crt
key /etc/openvpn/easyrsa/keys/gateway.key
dh /etc/openvpn/easyrsa/keys/dh2048.pem

# Who the openvpn process run as
user nobody
group nogroup

# Use this range for IP's
server 10.34.56.0 255.255.255.0
persist-key
persist-tun

# Allow client to client traffic
client-to-client

# Set VPN as Default GW
#push “redirect-gateway def1″

# Push routes to client (prefered over default route)
push "route 10.0.0.0 255.255.255.0"

#set the dns servers
push “dhcp-option DNS 10.0.0.1″

status /var/log/openvpn-status.log
verb 5
log-append /var/log/openvpn
comp-lzo
keepalive 20 120