diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index abde5309e..aa1d92cfb 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -13,3 +13,9 @@ Changes since 1.3.13 /etc/shorewall/masq. 6. Restore $dev.$vid naming of VLAN interfaces. + +7. Updated copyrights for 2003. + +8. Added support for openvpn tunnels on arbitrary ports + +9. Added support for openvpn with NAT on the other end. diff --git a/Shorewall/firewall b/Shorewall/firewall index 8f9aa8ebd..d1a676b77 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1424,6 +1424,29 @@ setup_tunnels() # $1 = name of tunnels file echo " PPTP server defined." } + setup_one_openvpn() # $1 = gateway, $2 = kind + { + case $2 in + *:*) + p=${2#*:} + ;; + *) + p=5000 + ;; + esac + + if [ $3 = openvpn ]; then + sport="--sport $p" + else + sport= + fi + + addrule $inchain -p udp -s $1 $sport --dport $p -j ACCEPT + addrule $outchain -p udp -d $1 $sport --dport $p -j ACCEPT + + echo " OPENVPN tunnel to $1:$p defined." + } + strip_file tunnels $1 while read kind z gateway z1; do @@ -1451,6 +1474,12 @@ setup_tunnels() # $1 = name of tunnels file pptpserver|PPTPSERVER) setup_pptp_server ;; + openvpn*|OPENVPN*) + setup_one_openvpn $gateway $kind openvpn + ;; + openvpnnat*|OPENVPNNAT*) + setup_one_openvpn $gateway $kind openvpnnat + ;; *) error_message "Tunnels of type $kind are not supported:" \ "Tunnel \"$tunnel\" Ignored" diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 43397e6b8..1770be3ea 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -24,7 +24,10 @@ New features include: convention (e.g., "eth0.0") has been restored. This capability was inadvertently broken in version 1.3.12. -4) When an interface name is entered in the SUBNET column of the +4) Support has been added for defining OpenVPN tunnels in the + /etc/shorewall/tunnels file. + +5) When an interface name is entered in the SUBNET column of the /etc/shorewall/masq file, Shorewall previously masqueraded traffic from only the first subnet defined on that interface. It did not masquerade traffic from: diff --git a/Shorewall/tunnels b/Shorewall/tunnels index 5e961d6fd..cfb0a54fe 100644 --- a/Shorewall/tunnels +++ b/Shorewall/tunnels @@ -1,16 +1,22 @@ # # Shorewall 1.3 - /etc/shorewall/tunnels # -# This file defines IPSEC, GRE and IPIP tunnels. +# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. # -# IPIP and GRE tunnels must be configured on the firewall/gateway itself. -# IPSEC endpoints may be defined on the firewall/gateway or on an -# internal system. +# IPIP, GRE and OPENVPN tunnels must be configured on the +# firewall/gateway itself. IPSEC endpoints may be defined +# on the firewall/gateway or on an internal system. # # The columns are: # # TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip" -# "gre","pptpclient" or "pptpserver" +# "gre", "pptpclient", "pptpserver", "openvpn" or +# "openvpnnat" +# +# If type is "openvpn" or "openvpnnam", it may optionally +# be followed by ":" and the port number used by the +# tunnel. If no ":" and port number are included, then +# the default port of 5000 will be used # # ZONE -- The zone of the physical interface through which # tunnel traffic passes. This is normally your internet @@ -20,10 +26,12 @@ # remote getway has no fixed address (Road Warrior) # then specify the gateway as 0.0.0.0/0. # -# GATEWAY ZONES -- Optional. If the gateway system specified in the third +# GATEWAY +# ZONES -- Optional. If the gateway system specified in the third # column is a standalone host then this column should -# contain a comma-separated list of the names of the zones that -# the host might be in. This column only applies to IPSEC tunnels. +# contain a comma-separated list of the names of the +# zones that the host might be in. This column only +# applies to IPSEC tunnels. # # Example 1: # @@ -71,5 +79,12 @@ # # pptpserver net # -# TYPE ZONE GATEWAY GATEWAY ZONE +# Example 7: +# +# OPENVPN tunnel. The remote gateway is 4.33.99.124 and +# openvpn uses port 7777. +# +# openvpn:7777 net 4.33.99.124 +# +# TYPE ZONE GATEWAY GATEWAY ZONE PORT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE