vpnc and shorewall

I wanted to configure my home Linux box with vpnc.  I had done this before, but I’ve lost track of the documentation I made at the time.

First, I ran pcf2vpnc on the .pcf configuration file — what an easy way to get the .conf file needed by vpnc!

Then I tried running vpnc.  From the messages it gave, it looked like I was successfully connected… but I couldn’t ping any servers… hmm.

Diagnosing

After a few minutes, it began to dawn on me that I had experienced a very similar issue before, and that time it wasn’t the vpnc configuration.  It was the firewall that was rejecting all traffic from the vpn.

I stopped shorewall and sure enough, I was able to get into the network and ping things.

Solving

I:

1. Added this line to /etc/shorewall/zones:

   vpnc  ipv4
   

2. Added this line to /etc/shorewall/interfaces:

   vpnc  tun0  detect
   

3. Added this line to /etc/shorewall/tunnels, replacing xx.xx.xx.xx with the IP address of my  router:

   generic:udp:500    net  xx.xx.xx.xx
   

4. Finally, I believe I added this fw vpnc ACCEPT line to /etc/shorewall/policy:

   fw      vpnc    ACCEPT
   net     all     DROP    info
   all     all     REJECT  info

   (I believe this line needs to be above the more general net-all-DROP and all-all-REJECT lines, as shown.)

I then restarted shorewall and I was off and running.

Basically I guess we’re telling shorewall to allow all traffic from the firewall to the vpn interface, where by default it would deny such traffic otherwise.  I need to get a deeper understanding of what’s going on here, though.

Thanks to Gary Court and Tobias Weisserth, whose posts were helpful!

My “problem”

(It was just a sudo-problem…)

Sudo Problem

Maybe a few weeks ago, I logged in to one of my Linux boxen and tried to use sudo to start the VPN client.  It said that my user was not authorized to use sudo.  “Huh,” I thought.  So instead I just su’d to start the client, and that worked. I checked /etc/sudoers, but didn’t see anything that looked amiss.

Connection Problem

Then, I think last week, I couldn’t connect to the VPN even using this strategy.  I thought I had uninstalled one too many kernel modules (when the auto-updater shows the packages that are going to be updated, several times I’ve noticed packages I don’t need, and uninstalled them before updating, to save time and disk space — I don’t really need ALL the localization packages for Firefox, for instance)…

Solving the Connection Problem

It turns out the second issue had an easy solution: the VPN access point had changed, and I just needed to edit /etc/vpnc/name-of-vpnc-configuration.conf and update the IP address on the IPSec gateway line.

Solving the Sudo Problem

Now that the VPN connection was working, I was motivated to see if I could also get sudo working again.

The part of my /etc/sudoers file that looked like it had anything to do with anything was this:

%vpnusers    localhost=/usr/sbin/vpnc
%vpnusers    localhost=NOPASSWD: /usr/sbin/vpnc-disconnect

I verified that my user is a member of the vpnusers group (besides, this had been working, and I didn’t remember removing my user from any groups)… I looked over the EXAMPLES section of the Sudoers Manual, and after some cogitation, it hit me: I had recently changed the hostname of my Linux box from simply localhost to something else.  Using visudo, I changed these lines so that vpnusers have permissions on the somethingelse host instead of on localhost:

%vpnusers    somethingelse=/usr/sbin/vpnc
%vpnusers    somethingelse=NOPASSWD: /usr/sbin/vpnc-disconnect

And now sudo works again.