extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 07:33:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add solution for handling duplicate networks in an OpenVPN environment

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-04-27 07:04:06 -07:00
parent 40bc2cc4a2
commit eab6387817
3 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
docs/OPENVPN.xml
View File

@ -332,6 +332,8 @@ ping-timer-rem
persist-tun persist-tun
persist-key persist-key
push "route 192.168.1.0 255.255.255.0"
verb 3</programlisting> verb 3</programlisting>
</blockquote> </blockquote>
@ -431,6 +433,71 @@ verb 3</programlisting>
</orderedlist> </orderedlist>
</section> </section>
<section id="Dupnet">
<title>Roadwarrior with Duplicate Network Issue</title>
<para>The information in this section was contributed by Nicola
Moretti.</para>
<para>If your local lan uses a popular RFC 1918 network like
192.168.1.0/24, there will be times when your roadwarriors need to access
your lan from a remote location that uses that same network.</para>
<graphic align="center" fileref="images/Mobile1.png" />
<para>This may be accomplished by configuring a second server on your
firewall that uses a different port and by using <ulink
url="netmap.html">NETMAP</ulink> in your Shorewall configuration. The
server configuration in the above diagram is modified as shown
here:</para>
<blockquote>
<programlisting>dev tun
<emphasis role="bold">server 192.168.3.0 255.255.255.0</emphasis>
dh dh1024.pem
ca /etc/certs/cacert.pem
crl-verify /etc/certs/crl.pem
cert /etc/certs/SystemA.pem
key /etc/certs/SystemA_key.pem
<emphasis role="bold">port 1195</emphasis>
comp-lzo
user nobody
group nogroup
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
<emphasis role="bold">push "route 172.20.1.0 255.255.255.0"</emphasis>
verb 3</programlisting>
</blockquote>
<para>In <filename>/etc/shorewall/netmap</filename>, put these
entries:</para>
<blockquote>
<programlisting>#TYPE NET1 INTERFACE NET2
SNAT 192.168.1.0/24 tun1 172.20.1.0/24
DNAT 172.20.1.0/24 tun1 192.168.1.0/24
</programlisting>
</blockquote>
<para>The roadwarrior can now connect to port 1195 and access the lan on
the right as 172.20.1.0/24.</para>
</section>
<section> <section>
<title>Bridged Roadwarrior</title> <title>Bridged Roadwarrior</title>

BIN
docs/images/Mobile1.dia Normal file
View File

Binary file not shown.

BIN
docs/images/Mobile1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB