Add openvpn tunnel support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@426 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-01-31 19:10:22 +00:00
parent 4cf3600e5c
commit 5aeecee8ab
4 changed files with 63 additions and 10 deletions

View File

@ -13,3 +13,9 @@ Changes since 1.3.13
/etc/shorewall/masq.
6. Restore $dev.$vid naming of VLAN interfaces.
7. Updated copyrights for 2003.
8. Added support for openvpn tunnels on arbitrary ports
9. Added support for openvpn with NAT on the other end.

View File

@ -1424,6 +1424,29 @@ setup_tunnels() # $1 = name of tunnels file
echo " PPTP server defined."
}
setup_one_openvpn() # $1 = gateway, $2 = kind
{
case $2 in
*:*)
p=${2#*:}
;;
*)
p=5000
;;
esac
if [ $3 = openvpn ]; then
sport="--sport $p"
else
sport=
fi
addrule $inchain -p udp -s $1 $sport --dport $p -j ACCEPT
addrule $outchain -p udp -d $1 $sport --dport $p -j ACCEPT
echo " OPENVPN tunnel to $1:$p defined."
}
strip_file tunnels $1
while read kind z gateway z1; do
@ -1451,6 +1474,12 @@ setup_tunnels() # $1 = name of tunnels file
pptpserver|PPTPSERVER)
setup_pptp_server
;;
openvpn*|OPENVPN*)
setup_one_openvpn $gateway $kind openvpn
;;
openvpnnat*|OPENVPNNAT*)
setup_one_openvpn $gateway $kind openvpnnat
;;
*)
error_message "Tunnels of type $kind are not supported:" \
"Tunnel \"$tunnel\" Ignored"

View File

@ -24,7 +24,10 @@ New features include:
convention (e.g., "eth0.0") has been restored. This capability was
inadvertently broken in version 1.3.12.
4) When an interface name is entered in the SUBNET column of the
4) Support has been added for defining OpenVPN tunnels in the
/etc/shorewall/tunnels file.
5) When an interface name is entered in the SUBNET column of the
/etc/shorewall/masq file, Shorewall previously masqueraded traffic
from only the first subnet defined on that interface. It did not
masquerade traffic from:

View File

@ -1,16 +1,22 @@
#
# Shorewall 1.3 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE and IPIP tunnels.
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
# IPIP and GRE tunnels must be configured on the firewall/gateway itself.
# IPSEC endpoints may be defined on the firewall/gateway or on an
# internal system.
# IPIP, GRE and OPENVPN tunnels must be configured on the
# firewall/gateway itself. IPSEC endpoints may be defined
# on the firewall/gateway or on an internal system.
#
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
# "gre","pptpclient" or "pptpserver"
# "gre", "pptpclient", "pptpserver", "openvpn" or
# "openvpnnat"
#
# If type is "openvpn" or "openvpnnam", it may optionally
# be followed by ":" and the port number used by the
# tunnel. If no ":" and port number are included, then
# the default port of 5000 will be used
#
# ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet
@ -20,10 +26,12 @@
# remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0.
#
# GATEWAY ZONES -- Optional. If the gateway system specified in the third
# GATEWAY
# ZONES -- Optional. If the gateway system specified in the third
# column is a standalone host then this column should
# contain a comma-separated list of the names of the zones that
# the host might be in. This column only applies to IPSEC tunnels.
# contain a comma-separated list of the names of the
# zones that the host might be in. This column only
# applies to IPSEC tunnels.
#
# Example 1:
#
@ -71,5 +79,12 @@
#
# pptpserver net
#
# TYPE ZONE GATEWAY GATEWAY ZONE
# Example 7:
#
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and
# openvpn uses port 7777.
#
# openvpn:7777 net 4.33.99.124
#
# TYPE ZONE GATEWAY GATEWAY ZONE PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE