Shorewall: allow communication between VPN clients

If you setup Linux as a PPTP or L2TP/IPSec VPN server, every client connection will have a corresponding pppx interface on the server. You may have a shorewall interface config like this:


#zone interface boradcast options
l2tp    ppp+    -       

Assume that client A connected, get IP for ppp0, client B get IP for ppp1. When client A try to ping client B. you may get the following shorewall log:

Jul  8 00:19:20 vpngateway kernel: Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1
 SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=311

In this case, if you really think that the connected VPN clients should be able to communicate with each other, you may add the routeback option to shorewall-interface config file, like this:

#zone interface boradcast options
l2tp    ppp+    -       routeback

Reference: shorewall-interfaces man page

This entry was posted in System Administration, VPN and tagged , , , . Bookmark the permalink.

Leave a Reply