How to setup SuSe firewall to work with openVPN?

user · November 1, 2008, 9:31pm

Hi all,

I’m running openVPN server on openSUSE 10.3 box. It works fine when firewall is off. However, I have problems to setup SuSe firewall to work with openVPN. The setup is as follows:

Road warrior openVPN IP: 172.16.142.10
openSUSE 10.3 openVPN IP: 172.16.142.1
openSUSE 10.3 eth0 IP: 192.168.1.2

Road warrior openVPN client connects properly to openVPN server on openSUSE 10.3 box. I have problems when trying to ssh from road warrior to openSUSE box (over openVPN channel):

warrior>ssh user@172.16.142.1
server>SFW2-INext-DROP-DEFLT IN=tun7 OUT= MAC= SRC=172.16.142.10 DST=172.16.142.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56812
DF PROTO=TCP SPT=53120 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT(020405580402080A00E918B30000000001030304)

As you can see firewall is blocking packets>:( Can anybody please help me? Bellow are more details:

server>route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.142.2    *               255.255.255.255 UH    0      0        0 tun7
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
172.16.142.0    172.16.142.2    255.255.255.0   UG    0      0        0 tun7
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
server> ifconfig
eth0      Link encap:Ethernet  HWaddr 
         inet addr:192.168.1.2  Bcast:255.255.255.255  Mask:255.255.255.0
tun7      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
         inet addr:172.16.142.1  P-t-P:172.16.142.2  Mask:255.255.255.255

server>grep -v ^# /etc/sysconfig/SuSEfirewall2 | grep -v '"]"]' | grep -v ^$
FW_DEV_EXT='eth0'
FW_DEV_INT='tun7' (openVPN interface tun7 is marked as internal net)
FW_ROUTE="yes" To enable INT -> EXT routing
FW_MASQUERADE="no"
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INT="no"
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_SERVICES_ACCEPT_EXT="88.212.17.42,udp,1194" (to enable road warrior openVPN client to connect to server)
FW_FORWARD="172.16.142.10,172.16.142.1" (my trial to enable SRC=172.16.142.10 DST=172.16.142.1 packet passing)
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING="int" Routing inside INTERNAL zone is enabled
FW_REJECT_INT="yes"
FW_IPSEC_TRUST="no"

How can I enable 172.16.142.10 -> 172.16.142.1 -> 192.168.1.2 packet forwarding?

I would really appreciate any help on this. I have spent hours trying to get it working but without success.

Thanks a lot!
Jiri

caf4926 · November 1, 2008, 10:36pm

have you opened the ssh port in the firewall

check the how to page: HOWTOs - openSUSE

setup a public key for ssh access, you can also include IP identification

ken_yap · November 1, 2008, 11:37pm

Don’t you need to add ssh over tcp to FW_SERVICES_ACCEPT_INT? (Seems to be FW_SERVICES_INT_TCP in 11.0.)

user · November 2, 2008, 10:43am

Hi caf4926 and ken_yap,

you were both right! FW_SERVICES_ACCEPT_INT was missing. On the other hand, following options were not needed:

FW_ROUTE="yes"
FW_ALLOW_CLASS_ROUTING="int"
FW_FORWARD="172.16.142.0/24,192.168.1.0/24"

Summary: to get openVPN working with SuSefirewall I had to set following options:

FW_DEV_INT='tun7'(openVPN interface tun7 is marked as internal net)
FW_SERVICES_ACCEPT_EXT="88.212.17.42,udp,2194"(to enable road warrior openVPN client to connect to server)
FW_SERVICES_ACCEPT_INT="172.16.142.10,tcp,22" (to enable ssh from road warrior to server)

I just believed that because FW_PROTECT_FROM_INT=“no” was used no FW_SERVICES_ACCEPT_INT was needed.

FW_PROTECT_FROM_INT="no"
# Do you want to protect the firewall from the internal network?
# Requires: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access
# services on the firewall you explicitly allow. If you set this to
# "no", any internal user can connect (and attack) any service on
# the firewall.

So I don’t really understand what FW_PROTECT_FROM_INT does in this scenario. I have set it now to “yes” since ssh from road warrior was working fine regardless of setting FW_PROTECT_FROM_INT. So can anybody clarify if 172.16.142.10 is an internal machine or not (I just assume it IS INTERNAL MACHINE since it’s connected through tun7) and why even with FW_PROTECT_FROM_INT=“no” I need FW_SERVICES_ACCEPT_INT to let firewall pass ssh requests from road warrior?

Thanks a lot!
Jiri

rinia · October 29, 2014, 11:02am

Ok, some years ago after the first posting I have the same problem with openSUSE 13.1 with a little different setup.

I have a openSUSE openVPN gateway with IP address 10.92.nn.mm on interface ens34. The internal interface is *ens32 *with IP 192.168.10.5. The openVPN interface is *tun7 *on the network 192.168.11.0. Behind this interface are some internal hosts in the network 192.168.10.0/24. The connection to the openVPN server works fine from the clients but I cannot use any service in the internal network 192.168.10.0/24.

If I want to connect an RDP service via openVPN I will get the following firewall trace (without FW it works fine):

SFW2-FWDint-DROP-DEFLT IN=tun7 OUT=ens32 MAC= SRC=192.168.11.6 DST=192.168.10.43 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=245 DF PROTO=TCP SPT=27933 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (0204055801010402)

My firewall settings are


server> grep -v ^# /etc/sysconfig/SuSEfirewall2 | grep -v '"]"]' | grep -v ^$
FW_DEV_EXT="ens34"
FW_DEV_INT="ens32 tun7"
FW_ROUTE="yes"
FW_MASQUERADE="no"
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_UDP="1194"
FW_CONFIGURATIONS_EXT="sshd"
FW_SERVICES_ACCEPT_EXT="10.92.0.0/16,udp,1194"
FW_SERVICES_ACCEPT_INT="192.168.11.0/24,tcp
192.168.11.0/24,udp"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_IPSEC_TRUST="no"
FW_ZONE_DEFAULT=''
FW_LOAD_MODULES="nf_conntrack_netbios_ns"

openVPN server configuration

port 1194
proto udp
dev tun7
ca pki/ca.crt
cert pki/vpnserver.dlb.atos.net.crt
key pki/key/vpnserver.dlb.atos.net.key  # This file should be kept secret
dh dh.pem
server 192.168.11.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0"
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3

server> route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.92.nn.mm     0.0.0.0         UG    0      0        0 ens34
10.92.nn.mm     *               255.255.255.224 U     0      0        0 ens34
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.10.0    *               255.255.255.0   U     0      0        0 ens32
192.168.11.0    192.168.11.2    255.255.255.0   UG    0      0        0 tun7
192.168.11.2    *               255.255.255.255 UH    0      0        0 tun7

Any ideas?

hcvv · October 29, 2014, 1:45pm

I doubt it is very clever to hang a new question at the end of such an old thread. It will of course not show in the list of new threads. I only arrived here by incident.

Better start a new thread. You can of course place a link to this one there when you think that is usefull.

rinia · October 29, 2014, 3:07pm

Thanks Henk for the advise but now I have a solution for my problem.

I have added

FW_FORWARD="192.168.11.0/24,192.168.10.0/24"

to the firewall configuration and it works now. It seems to me that it’s not possible to add this by using yast. You have to modify the FW configuration file manually.