From 59686cabbf92f3b4114ae21c99064131382eb976 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 22 Mar 2006 22:38:38 +0000 Subject: [PATCH] Update OPENVPN to use 'route' command rather than 'up' command git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3712 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/compiler | 2 +- docs/OPENVPN.xml | 6 ++-- docs/XenMyWay.xml | 69 ++++++++++++++++++++++++++++++---------------- 3 files changed, 50 insertions(+), 27 deletions(-) diff --git a/Shorewall/compiler b/Shorewall/compiler index 72d090ff6..8a44126e7 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -9220,7 +9220,7 @@ case "$COMMAND" in compile_firewall $2 ;; - call) + call) # # Undocumented way to call functions in /usr/share/shorewall/compiler directly # diff --git a/docs/OPENVPN.xml b/docs/OPENVPN.xml index f1d965abf..7ea4f173c 100644 --- a/docs/OPENVPN.xml +++ b/docs/OPENVPN.xml @@ -21,7 +21,7 @@ - 2006-03-19 + 2006-03-21 2003 @@ -181,7 +181,7 @@ openvpn:tcp:7777 net 134.28.54.2 local 206.162.148.9 remote 134.28.54.2 ifconfig 192.168.99.1 192.168.99.2 -up ./route-a.up +route 10.0.0.0 255.0.0.0 192.168.99.2 tls-server dh dh1024.pem ca ca.crt @@ -217,7 +217,7 @@ openvpn net 206.191.148.9 local 134.28.54.2 remote 206.162.148.9 ifconfig 192.168.99.2 192.168.99.1 -up ./route-b.up +route 192.168.1.0 255.255.255.0 192.168.99.1 tls-client ca ca.crt cert my-b.crt diff --git a/docs/XenMyWay.xml b/docs/XenMyWay.xml index 48c1bf0f4..0160e1e0d 100644 --- a/docs/XenMyWay.xml +++ b/docs/XenMyWay.xml @@ -15,7 +15,7 @@ - 2006-03-20 + 2006-03-21 2006 @@ -110,7 +110,8 @@ eth0 -- conntected to the switch in my office. That switch is cabled to a second switch in my wife's office where there is my wife's desktop and her networked - printer. + printer (sure which there had been wireless back when I strung that + CAT-5 cable halfway across the house). @@ -279,7 +280,7 @@ done
- Dom0 Shorewall Configuration + Dom0 Configuration The goals for the Shorewall configuration in Dom0 are as follows: @@ -349,7 +350,7 @@ SECTION NEW
- Firewall DomU Shorewall Configuration + Firewall DomU Configuration In the firewall DomU, I run a conventional three-interface firewall with Proxy ARP DMZ -- it is very similar to the firewall @@ -493,7 +494,10 @@ vpn tun+ - 206.124.146.180 $EXT_IF 192.168.1.6 No No #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - /etc/shorewall/masq: + /etc/shorewall/masq (Note the cute drick here and in + the proxyarp file that follows that allows me to + access the DSL "Modem" using it's default IP address + (192.168.1.1)): #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC +$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 @@ -697,18 +701,20 @@ DROP net:82.96.96.3 all
Wireless Gateway DomU Configuration - The Shorewall configuration in the 'wireless' DomU is very - simple-minded. It's sole purpose is to protect the local network from - the Wireless net by restricting wireless access to clients that have - established an OpenVPN Bridged - connection. This configuration illustrates that you can use any Linux - system on your internal LAN as a wireless gateway -- it doesn't have to - be your main firewall (and it doesn't have to run in a Xen domain - either). The wireless gateway runs a DHCP server that assigns wireless - hosts an IP address in 192.168.3.0/24 -- The OpenVPN server running on - the gateway assigns its clients an IP address in 192.168.1.0/24 so, - thanks to bridging, these clients appear to be physically attached to - the LAN). + The Shorewall configuration in the 'wireless' DomU is very simple. + It's sole purpose is to protect the local network from the Wireless net + by restricting wireless access to clients that have established an + OpenVPN Bridged connection. This + configuration illustrates that you can use any system on your internal + LAN as a wireless gateway -- it doesn't have to be your main firewall + (and it doesn't have to run in a Xen domain either and it doesn't even + have to run Linux). Our wireless gateway runs a DHCP server that assigns + wireless hosts an IP address in 192.168.3.0/24 -- The OpenVPN server + running on the gateway assigns its clients an IP address in + 192.168.1.0/24 so, thanks to bridging, these clients appear to be + physically attached to the LAN). That allows our two laptops to have the + same IP address in 192.168.1.0/24 regardless of whether they are + connected to the LAN directory or are connected wirelessly. @@ -926,7 +932,8 @@ loc br0 192.168.1.255 dhcp,routeback #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - /etc/shorewall/policy: + /etc/shorewall/policy (again, note the use + of an ACCEPT all->all policy): #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL @@ -953,8 +960,24 @@ ACCEPT eth4 00:0f:66:ef:b6:f6 192.168.3.8 ACCEPT eth4 00:12:79:3d:fe:2e 192.168.3.6 #Work Laptop ACCEPT eth4 - 192.168.3.254 #Broadcast/Multicast from us DROP:info eth4 - 192.168.3.0/24 +DROP:info eth4 - 169.254.0.0/16 #Stop autoconfigured hosts. #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + The routing table on the wireless gateway is as follows: + +
+ 192.168.3.0/24 dev eth4 proto kernel scope link src 192.168.3.254 +192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.7 +169.254.0.0/16 dev eth4 scope link +127.0.0.0/8 dev lo scope link +default via 192.168.1.254 dev br0 +
+ + The route to 169.254.0.0/16 is automatically generated by the + SuSE network scripts so I include that network in the + /etc/shorewall/maclist file for + completeness. + /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ @@ -962,6 +985,7 @@ DROP:info eth4 - 192.168.3.0/24 #SECTION ESTABLISHED #SECTION RELATED SECTION NEW +ACCEPT Wifi loc:192.168.1.5 udp 123 #Allow NTP before OpenVPN is up. #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE @@ -970,10 +994,9 @@ SECTION NEW
/etc/openvpn/server-bridge (Note that I prefer to push two /1 routes rather than to use the redirect-gateway directive on the client - systems; I find that the latter occasionally leaves the remote system - with no default gateway while my - approach always works): + role="bold">redirect-gateway directive; I find that the + latter occasionally leaves the remote system with no default gateway): dev tap0 @@ -1012,7 +1035,7 @@ verb 3 push "route 0.0.0.0 128.0.0.0 192.168.1.254" push "route 128.0.0.0 128.0.0.0 192.168.1.254" - /etc/openvpn/bridge-clients/tipper.shorewall.net + /etc/bridge-clients/tipper.shorewall.net (used to assign a fixed IP address to clients -- there are other similar files in this directory):