extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-20 12:39:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Change tense of part of the OPENVPN article that talks about wireless bridging

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3713 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-03-22 22:49:12 +00:00
parent 59686cabbf
commit ada3ed7e06
1 changed files with 24 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
docs/OPENVPN.xml
View File

@ -450,26 +450,26 @@ verb 3</programlisting>
<para>The Wireless network is in the lower right of the diagram and <para>The Wireless network is in the lower right of the diagram and
consists of two laptops: Eastepnc6000 (Dual Boot Windows XP - SP1, SUSE consists of two laptops: Eastepnc6000 (Dual Boot Windows XP - SP1, SUSE
10.0) and Tipper (SUSE 10.0). We use OpenVPN to bridge those two laptops 10.0) and Tipper (SUSE 10.0). We used OpenVPN to bridge those two laptops
with the local LAN shown in the lower left hand corner. The laptops are with the local LAN shown in the lower left hand corner. The laptops were
configured with addresses in the 192.168.3.0/24 network connected to the configured with addresses in the 192.168.3.0/24 network connected to the
firewall's <filename class="devicefile">eth0</filename> interface which firewall's <filename class="devicefile">eth0</filename> interface which
places them in the firewall's <emphasis role="bold">Wifi</emphasis> zone. places them in the firewall's <emphasis role="bold">Wifi</emphasis> zone.
OpenVPN bridging allows them to be assigned an additional IP address from OpenVPN bridging allowed them to be assigned an additional IP address from
the 192.168.1.0/24 network and to be securely bridged to the LAN on the the 192.168.1.0/24 network and to be securely bridged to the LAN on the
lower left.</para> lower left.</para>
<note> <note>
<para>Eastepnc6000 is shown in both the local LAN and in the Wifi zone <para>Eastepnc6000 is shown in both the local LAN and in the Wifi zone
with IP address 192.168.1.6 -- clearly, the computer can only be in one with IP address 192.168.1.6 -- clearly, the computer could only be in
place or the other. Tipper can also be in either place and will have the one place or the other. Tipper could also be in either place and would
IP address 192.168.1.8 regardless.</para> have the IP address 192.168.1.8 regardless.</para>
</note> </note>
<section> <section>
<title>Configuring the Bridge</title> <title>Configuring the Bridge</title>
<para>The firewall runs Debian Sarge so the bridge is defined in <para>The firewall ran Debian Sarge so the bridge was defined in
<filename>/etc/network/interfaces</filename>.</para> <filename>/etc/network/interfaces</filename>.</para>
<programlisting># LAN interface <programlisting># LAN interface
@ -489,21 +489,21 @@ iface br0 inet static
post-down /usr/sbin/openvpn --rmtun --dev tap0</programlisting> post-down /usr/sbin/openvpn --rmtun --dev tap0</programlisting>
<para>Note that the IP address assigned to the bridge is 192.168.1.254 <para>Note that the IP address assigned to the bridge is 192.168.1.254
-- that is the default gateway address for hosts in the local -- that was the default gateway address for hosts in the local
zone.</para> zone.</para>
</section> </section>
<section> <section>
<title>Configuring OpenVPN</title> <title>Configuring OpenVPN</title>
<para>We use X.509 certificates for authentication.</para> <para>We used X.509 certificates for authentication.</para>
<section> <section>
<title>Firewall (Server) configuration.</title> <title>Firewall (Server) configuration.</title>
<para>/etc/openvpn/server-bridge.conf defines a bridge and reserves IP <para>/etc/openvpn/server-bridge.conf defined a bridge and reserved IP
addresses 192.168.1.64-192.168.1.71 for VPN clients. Note that the addresses 192.168.1.64-192.168.1.71 for VPN clients. Note that the
bridge server only uses local IP address 192.168.3.254. We run two bridge server only used local IP address 192.168.3.254. We ran two
instances of OpenVPN; this one and a second tunnel-mode instance for instances of OpenVPN; this one and a second tunnel-mode instance for
remote access (see <ulink url="myfiles.htm">this remote access (see <ulink url="myfiles.htm">this
article</ulink>).</para> article</ulink>).</para>
@ -545,7 +545,7 @@ ccd-exclusive
verb 3</programlisting> verb 3</programlisting>
<para>The files in <filename>/etc/openvpn/bridge-clients</filename> <para>The files in <filename>/etc/openvpn/bridge-clients</filename>
are used to assign a fixed IP address to each laptop. For example, were used to assign a fixed IP address to each laptop. For example,
tipper.shorewall.net:</para> tipper.shorewall.net:</para>
<programlisting>ifconfig-push 192.168.1.8 255.255.255.0</programlisting> <programlisting>ifconfig-push 192.168.1.8 255.255.255.0</programlisting>
@ -620,17 +620,18 @@ verb 3</programlisting>
<section> <section>
<title>Eastepnc6000 (SUSE10.0) Configuration</title> <title>Eastepnc6000 (SUSE10.0) Configuration</title>
<para>The configuration is the same as shown above only with "/Program <para>The configuration was the same as shown above only with
Files/OpenVPN" replaced with "/etc/openvpn" (I love OpenVPN).</para> "/Program Files/OpenVPN" replaced with "/etc/openvpn" (I love
OpenVPN).</para>
</section> </section>
</section> </section>
<section> <section>
<title>Configuring Shorewall</title> <title>Configuring Shorewall</title>
<para>In this configuration, we don't need any firewalling between the <para>In this configuration, we didn't need any firewalling between the
laptops and the local LAN so we set BRIDGING=No in shorewall.conf. The laptops and the local LAN so we set BRIDGING=No in shorewall.conf. The
configuration of the bridge then becomes as described in the <ulink configuration of the bridge then became as described in the <ulink
url="SimpleBridge.html">Simple Bridge documentation</ulink>. If you need url="SimpleBridge.html">Simple Bridge documentation</ulink>. If you need
to control the traffic allowed through the VPN bridge then you will want to control the traffic allowed through the VPN bridge then you will want
to configure Shorewall as shown in the <ulink to configure Shorewall as shown in the <ulink
@ -668,9 +669,9 @@ openvpnserver:1194 Wifi 192.168.3.0/24
<title>Tipper</title> <title>Tipper</title>
<para>Wireless networks pose a threat to all systems that are <para>Wireless networks pose a threat to all systems that are
connected to them and we therefore run Firewalls on the two Laptops. connected to them and we therefore ran Firewalls on the two Laptops.
Eastepnc6000 runs <trademark>Sygate</trademark> Security Agent and Eastepnc6000 ran <trademark>Sygate</trademark> Security Agent and
Tipper runs a Shorewall-based Netfilter firewall.</para> Tipper ran a Shorewall-based Netfilter firewall.</para>
<section> <section>
<title>/etc/shorewall/zones</title> <title>/etc/shorewall/zones</title>
@ -697,11 +698,11 @@ net eth0 detect routefilter,dhcp,tcpflags
<section> <section>
<title>/etc/shorewall/policy</title> <title>/etc/shorewall/policy</title>
<para>Since we don't expect any traffic between the <emphasis <para>Since we didn't expect any traffic between the <emphasis
role="bold">net</emphasis> zone and the <emphasis role="bold">net</emphasis> zone and the <emphasis
role="bold">lan</emphasis> zone, we use NONE policies for that role="bold">lan</emphasis> zone, we used NONE policies for that
traffic. If any such traffic should occur, it will be handled traffic. If any such traffic would have occurred, it would have been
according to the all-&gt;all policy.</para> handled according to the all-&gt;all policy.</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL # LEVEL