Posted by danielmeyer on October 10, 2009
I wanted to configure my home Linux box with vpnc. I had done this before, but I’ve lost track of the documentation I made at the time.
First, I ran pcf2vpnc on the .pcf configuration file — what an easy way to get the .conf file needed by vpnc!
Then I tried running vpnc. From the messages it gave, it looked like I was successfully connected… but I couldn’t ping any servers… hmm.
After a few minutes, it began to dawn on me that I had experienced a very similar issue before, and that time it wasn’t the vpnc configuration. It was the firewall that was rejecting all traffic from the vpn.
I stopped shorewall and sure enough, I was able to get into the network and ping things.
- Added this line to /etc/shorewall/zones:
- Added this line to /etc/shorewall/interfaces:
vpnc tun0 detect
- Added this line to /etc/shorewall/tunnels, replacing xx.xx.xx.xx with the IP address of my router:
generic:udp:500 net xx.xx.xx.xx
- Finally, I believe I added this fw vpnc ACCEPT line to /etc/shorewall/policy:
fw vpnc ACCEPT
net all DROP info
all all REJECT info
(I believe this line needs to be above the more general net-all-DROP and all-all-REJECT lines, as shown.)
I then restarted shorewall and I was off and running.
Basically I guess we’re telling shorewall to allow all traffic from the firewall to the vpn interface, where by default it would deny such traffic otherwise. I need to get a deeper understanding of what’s going on here, though.
Thanks to Gary Court and Tobias Weisserth, whose posts were helpful!
Posted in Technical Stuff | Tagged: firewall, security, shorewall, vpnc | Leave a Comment »
Posted by danielmeyer on September 17, 2008
(It was just a sudo-problem…)
Maybe a few weeks ago, I logged in to one of my Linux boxen and tried to use sudo to start the VPN client. It said that my user was not authorized to use sudo. “Huh,” I thought. So instead I just su’d to start the client, and that worked. I checked /etc/sudoers, but didn’t see anything that looked amiss.
Then, I think last week, I couldn’t connect to the VPN even using this strategy. I thought I had uninstalled one too many kernel modules (when the auto-updater shows the packages that are going to be updated, several times I’ve noticed packages I don’t need, and uninstalled them before updating, to save time and disk space — I don’t really need ALL the localization packages for Firefox, for instance)…
Solving the Connection Problem
It turns out the second issue had an easy solution: the VPN access point had changed, and I just needed to edit /etc/vpnc/name-of-vpnc-configuration.conf and update the IP address on the IPSec gateway line.
Solving the Sudo Problem
Now that the VPN connection was working, I was motivated to see if I could also get sudo working again.
The part of my /etc/sudoers file that looked like it had anything to do with anything was this:
%vpnusers localhost=NOPASSWD: /usr/sbin/vpnc-disconnect
I verified that my user is a member of the vpnusers group (besides, this had been working, and I didn’t remember removing my user from any groups)… I looked over the EXAMPLES section of the Sudoers Manual, and after some cogitation, it hit me: I had recently changed the hostname of my Linux box from simply localhost to something else. Using visudo, I changed these lines so that vpnusers have permissions on the somethingelse host instead of on localhost:
%vpnusers somethingelse=NOPASSWD: /usr/sbin/vpnc-disconnect
And now sudo works again.
Posted in Technical Stuff | Tagged: Linux, sudo, vpnc | Leave a Comment »