Shorewall: allow communication between VPN clients

If you setup Linux as a PPTP or L2TP/IPSec VPN server, every client connection will have a corresponding pppx interface on the server. You may have a shorewall interface config like this:

/etc/shorewall/interfaces

#zone interface boradcast options
l2tp    ppp+    -       

Assume that client A connected, get IP 192.168.1.100 for ppp0, client B get IP 192.168.1.101 for ppp1. When client A try to ping client B. you may get the following shorewall log:

Jul  8 00:19:20 vpngateway kernel: Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1
 SRC=192.168.1.100 DST=192.168.1.101 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=311
 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=52

In this case, if you really think that the connected VPN clients should be able to communicate with each other, you may add the routeback option to shorewall-interface config file, like this:

#zone interface boradcast options
l2tp    ppp+    -       routeback

Reference: shorewall-interfaces man page

This entry was posted in System Administration, VPN and tagged , , , . Bookmark the permalink.

Leave a Reply