De acordo com os registros do firewall, você se esqueceu de permitir as consultas do DNS.
Permitir a porta 53 udp e sua configuração funcionará melhor!
Eu tenho uma instalação do Debian com shorewall, openvpn e google authenticator. Eu posso obter uma conexão vpn - mas eu não posso obter qualquer tráfego através de LAN local ou à internet - o que estou faltando aqui:
Minha configuração do tipo shorewall
shorewall.conf
IP_FORWARDING On
/ etc / shorewall / interfaces
net eth0 tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
loc eth1 tcpflags,dhcp,nosmurfs,routefilter,logmartians
dmz eth2 tcpflags,dhcp,nosmurfs,routefilter,logmartians
road tun tcpflags,logmartians,nosmurfs
/ etc / shorewall / zones
fw firewall
net ipv4
loc ipv4
dmz ipv4
road ipv4
/ etc / shorewall / rules
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
VNC/ACCEPT loc all
Invalid(DROP) net all tcp
DNS(ACCEPT) $FW net
DNS(ACCEPT) loc net
SSH(ACCEPT) loc $FW
SSH(ACCEPT) loc dmz
Webmin/ACCEPT loc fw
DNS(ACCEPT) dmz net
Ping(DROP) net $FW
Ping(ACCEPT) loc $FW
Ping(ACCEPT) dmz $FW
Ping(ACCEPT) loc dmz
Ping(ACCEPT) dmz loc
Ping(ACCEPT) dmz net
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
ACCEPT $FW dmz icmp
ACCEPT net road all
ACCEPT road net all
/ etc / shorewall / policy
loc net ACCEPT
net all DROP info
$FW net ACCEPT
dmz net ACCEPT
road net ACCEPT
all all REJECT info
/ etc / shorewall / masq
eth0 192.168.0.0/16
Configuração do Openvpn
client.ovpn
client
dev tun
proto udp
remote xxx.yyy.zzz.2 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert huawiphone.crt
key huaweiphone.key
ns-cert-type server
comp-lzo
verb 3
auth-user-pass
server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 192.168.3.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 80.71.82.82"
push "dhcp-option DNS 80.71.82.83"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 9
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
Interfaces
eth0 Link encap:Ethernet HWaddr 00:ec:ac:ce:e0:34
inet addr:xxx.yyy.zzz.2 Bcast:xxx.yyy.zzz.127 Mask:255.255.255.128
inet6 addr: fe80::2ec:acff:fece:e034/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20128722 errors:0 dropped:0 overruns:0 frame:0
TX packets:9698662 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:29269888673 (27.2 GiB) TX bytes:879126006 (838.3 MiB)
Interrupt:16 Memory:d0900000-d0920000
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.3.1 P-t-P:192.168.3.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:4185 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:261836 (255.6 KiB) TX bytes:0 (0.0 B)
Registre mensagens do shorewall ao tentar acessar a Internet através da vpn
Apr 23 17:44:05 firewall kernel: [430997.653171] Shorewall:FORWARD:REJECT:IN=tun0 OUT=eth0 MAC= SRC=192.168.3.6 DST=8.8.8.8 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=205 DF PROTO=UDP SPT=10225 DPT=53 LEN=45
Apr 23 17:44:05 firewall kernel: [430997.653228] Shorewall:OUTPUT:REJECT:IN= OUT=tun0 SRC=192.168.3.1 DST=192.168.3.6 LEN=93 TOS=0x00 PREC=0xC0 TTL=64 ID=19793 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.3.6 DST=8.8.8.8 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=205 DF PROTO=UDP SPT=10225 DPT=53 LEN=45 ]
Apr 23 17:44:07 firewall kernel: [430999.075572] Shorewall:FORWARD:REJECT:IN=tun0 OUT=eth0 MAC= SRC=192.168.3.6 DST=8.8.8.8 LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=220 DF PROTO=UDP SPT=18202 DPT=53 LEN=57
Apr 23 17:44:07 firewall kernel: [430999.075610] Shorewall:OUTPUT:REJECT:IN= OUT=tun0 SRC=192.168.3.1 DST=192.168.3.6 LEN=105 TOS=0x00 PREC=0xC0 TTL=64 ID=20021 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.3.6 DST=8.8.8.8 LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=220 DF PROTO=UDP SPT=18202 DPT=53 LEN=57 ]
Apr 23 17:44:07 firewall kernel: [430999.178094] Shorewall:FORWARD:REJECT:IN=tun0 OUT=eth0 MAC= SRC=192.168.3.6 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=231 DF PROTO=UDP SPT=12211 DPT=53 LEN=40
Apr 23 17:44:07 firewall kernel: [430999.178132] Shorewall:OUTPUT:REJECT:IN= OUT=tun0 SRC=192.168.3.1 DST=192.168.3.6 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=20044 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.3.6 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=231 DF PROTO=UDP SPT=12211 DPT=53 LEN=40 ]
Apr 23 17:44:07 firewall kernel: [430999.186969] Shorewall:FORWARD:REJECT:IN=tun0 OUT=eth0 MAC= SRC=192.168.3.6 DST=8.8.8.8 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=232 DF PROTO=UDP SPT=31313 DPT=53 LEN=50
De acordo com os registros do firewall, você se esqueceu de permitir as consultas do DNS.
Permitir a porta 53 udp e sua configuração funcionará melhor!