Add bridge example to OpenVPN doc

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2855 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-10-12 00:13:11 +00:00
parent 34f8ff258e
commit 639b383c4c

View File

@ -417,4 +417,169 @@ verb 3</programlisting>
url="http://www.iut-lannion.fr/ZONZON/memos_index.php?part=Network&amp;section=WRTMemo&amp;subsec=vpnwithshorewall">this url="http://www.iut-lannion.fr/ZONZON/memos_index.php?part=Network&amp;section=WRTMemo&amp;subsec=vpnwithshorewall">this
article</ulink> by Marc Zonzon</para> article</ulink> by Marc Zonzon</para>
</section> </section>
<section>
<title>Securing a Home Wireless Network with OpenVPN</title>
<para>This section will discuss how I secured my home wireless network
using OpenVPN. Our network is as shown in the following diagram.</para>
<graphic fileref="images/network3.png" />
<para>The Wireless zone is in the lower right of the diagram and consists
of two laptops: Eastepnc6000 (Windows XP - SP1) and Tipper (SuSE 10.0). We
use OpenVPN to bridge those two laptops with the Local Zone shown in the
lower left hand corner.</para>
<section>
<title>Configuring the Bridge</title>
<para>The firewall runs Debian Sarge so the bridge is defined in
<filename>/etc/network/interfaces</filename>.</para>
<programlisting># LAN interface
auto br0
iface br0 inet static
address 192.168.1.254
netmask 255.255.255.0
pre-up /usr/sbin/openvpn --mktun --dev tap0
pre-up /sbin/ip link set tun0 up
pre-up /sbin/ip link set eth3 up
pre-up /usr/sbin/brctl addbr br0
pre-up /usr/sbin/brctl addif br0 eth3
pre-up /usr/sbin/brctl addif br0 tap0
up ip route add 224.0.0.0/4 dev br0
post-down /usr/sbin/brctl delif br0 eth3
post-down /usr/sbin/brctl delif br0 tap0
post-down /usr/sbin/brctl delbr br0
post-down /usr/sbin/openvpn --rmtun --dev tap0</programlisting>
<para>Note that the IP address assigned to the bridge is 192.168.1.254
-- that is the default gateway address for hosts in the local
zone.</para>
</section>
<section>
<title>Configuring OpenVPN</title>
<para>We use X.509 certificates for authentication.</para>
<section>
<title>Firewall (Server) configuration.</title>
<para>/etc/openvpn/server-bridge.conf defines a bridge and reserves IP
addresses 192.168.1.64-192.168.1.71 for VPN clients.</para>
<programlisting>dev tap0
local 192.168.3.254
server-bridge 192.168.1.254 255.255.255.0 192.168.1.64 192.168.1.71
dh dh1024.pem
ca /etc/certs/cacert.pem
crl-verify /etc/certs/crl.pem
cert /etc/certs/gateway.pem
key /etc/certs/gateway_key.pem
port 1194
comp-lzo
user nobody
group nogroup
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 3</programlisting>
</section>
<section>
<title>Tipper Configuration</title>
<para>/etc/openvpn/wireless.conf:</para>
<programlisting>dev tap
remote 192.168.3.254
tls-remote gateway.shorewall.net
client
route-gateway 192.168.1.254
up /etc/openvpn/wireless.up
down /etc/openvpn/wireless.down
ca /etc/certs/cacert.pem
cert /etc/certs/tipper.pem
key /etc/certs/tipper_key.pem
port 1194
comp-lzo
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
mute-replay-warnings
verb 3</programlisting>
<para>/etc/openvpn/wireless.up changes the default gateway to
192.168.1.254</para>
<programlisting>ip route replace default via 192.168.1.254 dev tap0</programlisting>
<para>/etc/openvpn/wireless.down restores the default gateway to
192.168.3.254</para>
<programlisting>ip route replace default via 192.168.3.254 dev eth0</programlisting>
</section>
</section>
<section>
<title>Configuring Shorewall</title>
<para>In this configuration, we don't need any firewalling between the
laptops and the local LAN so we set BRIDGING=No in shorewall.conf. The
configuration of the bridge then becomes as described in the <ulink
url="SimpleBridge.xml">Simple Bridge documentation</ulink>.</para>
<section>
<title>/etc/shorewall/interfaces</title>
<para>Note that the bridge (br0) is defined as the interface to the
local zone and has the <emphasis role="bold">routeback</emphasis>
option.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth2 206.124.146.255 dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
loc br0 192.168.1.255 dhcp,<emphasis role="bold">routeback</emphasis>
dmz eth1 - logmartians
Wifi eth0 192.168.3.255 dhcp,maclist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>/etc/shorewall/tunnels</title>
<programlisting>#TYPE ZONE GATEWAY GATEWAY
# ZONE
openvpn-server:1194 Wifi 192.168.3.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</section>
</section>
</section>
</article> </article>