From 639b383c4c7b7b8fc3c48fc37cf0b07f525ffcfe Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 12 Oct 2005 00:13:11 +0000
Subject: [PATCH] Add bridge example to OpenVPN doc

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2855 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-docs2/OPENVPN.xml | 165 ++++++++++++++++++++++++++++++++++++
 1 file changed, 165 insertions(+)

diff --git a/Shorewall-docs2/OPENVPN.xml b/Shorewall-docs2/OPENVPN.xml
index 95ee8ae6b..1df902c38 100644
--- a/Shorewall-docs2/OPENVPN.xml
+++ b/Shorewall-docs2/OPENVPN.xml
@@ -417,4 +417,169 @@ verb 3</programlisting>
     url="http://www.iut-lannion.fr/ZONZON/memos_index.php?part=Network&amp;section=WRTMemo&amp;subsec=vpnwithshorewall">this
     article</ulink> by Marc Zonzon</para>
   </section>
+
+  <section>
+    <title>Securing a Home Wireless Network with OpenVPN</title>
+
+    <para>This section will discuss how I secured my home wireless network
+    using OpenVPN. Our network is as shown in the following diagram.</para>
+
+    <graphic fileref="images/network3.png" />
+
+    <para>The Wireless zone is in the lower right of the diagram and consists
+    of two laptops: Eastepnc6000 (Windows XP - SP1) and Tipper (SuSE 10.0). We
+    use OpenVPN to bridge those two laptops with the Local Zone shown in the
+    lower left hand corner.</para>
+
+    <section>
+      <title>Configuring the Bridge</title>
+
+      <para>The firewall runs Debian Sarge so the bridge is defined in
+      <filename>/etc/network/interfaces</filename>.</para>
+
+      <programlisting># LAN interface
+auto br0
+iface br0 inet static
+        address 192.168.1.254
+        netmask 255.255.255.0
+        pre-up /usr/sbin/openvpn --mktun --dev tap0
+        pre-up /sbin/ip link set tun0 up
+        pre-up /sbin/ip link set eth3 up
+        pre-up /usr/sbin/brctl addbr br0
+        pre-up /usr/sbin/brctl addif br0 eth3
+        pre-up /usr/sbin/brctl addif br0 tap0
+        up ip route add 224.0.0.0/4 dev br0
+        post-down /usr/sbin/brctl delif br0 eth3
+        post-down /usr/sbin/brctl delif br0 tap0
+        post-down /usr/sbin/brctl delbr br0
+        post-down /usr/sbin/openvpn --rmtun --dev tap0</programlisting>
+
+      <para>Note that the IP address assigned to the bridge is 192.168.1.254
+      -- that is the default gateway address for hosts in the local
+      zone.</para>
+    </section>
+
+    <section>
+      <title>Configuring OpenVPN</title>
+
+      <para>We use X.509 certificates for authentication.</para>
+
+      <section>
+        <title>Firewall (Server) configuration.</title>
+
+        <para>/etc/openvpn/server-bridge.conf defines a bridge and reserves IP
+        addresses 192.168.1.64-192.168.1.71 for VPN clients.</para>
+
+        <programlisting>dev tap0
+
+local 192.168.3.254
+
+server-bridge 192.168.1.254 255.255.255.0 192.168.1.64 192.168.1.71
+
+dh dh1024.pem
+
+ca /etc/certs/cacert.pem
+
+crl-verify /etc/certs/crl.pem
+
+cert /etc/certs/gateway.pem
+key /etc/certs/gateway_key.pem
+
+port 1194
+
+comp-lzo
+
+user nobody
+group nogroup
+
+ping 15
+ping-restart 45
+ping-timer-rem
+persist-tun
+persist-key
+
+verb 3</programlisting>
+      </section>
+
+      <section>
+        <title>Tipper Configuration</title>
+
+        <para>/etc/openvpn/wireless.conf:</para>
+
+        <programlisting>dev tap
+
+remote 192.168.3.254
+tls-remote gateway.shorewall.net
+
+client
+
+route-gateway 192.168.1.254
+
+up /etc/openvpn/wireless.up
+down /etc/openvpn/wireless.down
+
+ca /etc/certs/cacert.pem
+
+cert /etc/certs/tipper.pem
+key /etc/certs/tipper_key.pem
+
+port 1194
+
+comp-lzo
+
+ping 15
+ping-restart 45
+ping-timer-rem
+persist-tun
+persist-key
+
+mute-replay-warnings
+
+verb 3</programlisting>
+
+        <para>/etc/openvpn/wireless.up changes the default gateway to
+        192.168.1.254</para>
+
+        <programlisting>ip route replace default via 192.168.1.254 dev tap0</programlisting>
+
+        <para>/etc/openvpn/wireless.down restores the default gateway to
+        192.168.3.254</para>
+
+        <programlisting>ip route replace default via 192.168.3.254 dev eth0</programlisting>
+      </section>
+    </section>
+
+    <section>
+      <title>Configuring Shorewall</title>
+
+      <para>In this configuration, we don't need any firewalling between the
+      laptops and the local LAN so we set BRIDGING=No in shorewall.conf. The
+      configuration of the bridge then becomes as described in the <ulink
+      url="SimpleBridge.xml">Simple Bridge documentation</ulink>.</para>
+
+      <section>
+        <title>/etc/shorewall/interfaces</title>
+
+        <para>Note that the bridge (br0) is defined as the interface to the
+        local zone and has the <emphasis role="bold">routeback</emphasis>
+        option.</para>
+
+        <programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
+net     eth2            206.124.146.255         dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
+loc     br0             192.168.1.255           dhcp,<emphasis role="bold">routeback</emphasis>
+dmz     eth1            -                       logmartians
+Wifi    eth0            192.168.3.255           dhcp,maclist
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+      </section>
+
+      <section>
+        <title>/etc/shorewall/tunnels</title>
+
+        <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
+#                                               ZONE
+openvpn-server:1194     Wifi    192.168.3.0/24
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+      </section>
+    </section>
+  </section>
 </article>
\ No newline at end of file