<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <article id="OPENVPN"> <!--$Id$--> <articleinfo> <title>OpenVPN Tunnels</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> <author> <firstname>Simon</firstname> <surname>Mater</surname> </author> </authorgroup> <pubdate>2003-02-04</pubdate> <copyright> <year>2003</year> <holder>Thomas M. Eastep</holder> <holder>Simon Mater</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <para>OpenVPN is a robust and highly configurable VPN (Virtual Private Network) daemon which can be used to securely link two or more private networks using an encrypted tunnel over the internet. OpenVPN is an Open Source project and is <ulink url="http://openvpn.sourceforge.net/license.html">licensed under the GPL</ulink>. OpenVPN can be downloaded from <ulink url="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</ulink>.</para> <para>OpenVPN support was added to Shorewall in version 1.3.14.</para> <section> <title>Bridging two Masqueraded Networks</title> <para>Suppose that we have the following situation:</para> <graphic fileref="images/TwoNets1.png" /> <para>We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file and the /etc/shorewall/policy file and OpenVPN.</para> <para>While it was possible to use the Shorewall start and stop script to start and stop OpenVPN, I decided to use the init script of OpenVPN to start and stop it.</para> <para>On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called <quote>vpn</quote> and declare it in /etc/shorewall/zones on both systems as follows.</para> <table> <title>/etc/shorewall/zones system A & B</title> <tgroup cols="3"> <thead> <row> <entry align="center">ZONE</entry> <entry align="center">DISPLAY</entry> <entry align="center">COMMENTS</entry> </row> </thead> <tbody> <row> <entry>vpn</entry> <entry>VPN</entry> <entry>Remote Subnet</entry> </row> </tbody> </tgroup> </table> <para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para> <table> <title>etc/shorewall/interfaces system A</title> <tgroup cols="4"> <thead> <row> <entry align="center">ZONE</entry> <entry align="center">INTERFACE</entry> <entry align="center">BROADCAST</entry> <entry align="center">OPTIONS</entry> </row> </thead> <tbody> <row> <entry>vpn</entry> <entry>tun0</entry> <entry></entry> <entry></entry> </row> </tbody> </tgroup> </table> <para>In /etc/shorewall/tunnels on system A, we need the following:</para> <table> <title>/etc/shorewall/tunnels system A</title> <tgroup cols="4"> <thead> <row> <entry align="center">TYPE</entry> <entry align="center">ZONE</entry> <entry align="center">GATEWAY</entry> <entry align="center">GATEWAY ZONE</entry> </row> </thead> <tbody> <row> <entry>openvpn</entry> <entry>net</entry> <entry>134.28.54.2</entry> <entry></entry> </row> </tbody> </tgroup> </table> <para>This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN traffic on the default port 5000/udp will be accepted to/from the remote gateway. If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels like this:</para> <table> <title>/etc/shorewall/tunnels port 7777</title> <tgroup cols="4"> <thead> <row> <entry align="center">TYPE</entry> <entry align="center">ZONE</entry> <entry align="center">GATEWAY</entry> <entry align="center">GATEWAY ZONE</entry> </row> </thead> <tbody> <row> <entry>openvpn:7777</entry> <entry>net</entry> <entry>134.28.54.2</entry> <entry></entry> </row> </tbody> </tgroup> </table> <para>This is the OpenVPN config on system A:</para> <programlisting>dev tun local 206.162.148.9 remote 134.28.54.2 ifconfig 192.168.99.1 192.168.99.2 up ./route-a.up tls-server dh dh1024.pem ca ca.crt cert my-a.crt key my-a.key comp-lzo verb 5</programlisting> <para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para> <table> <title>/etc/shorewall/interfaces system B</title> <tgroup cols="4"> <thead> <row> <entry align="center">ZONE</entry> <entry align="center">INTERFACE</entry> <entry align="center">BROADCAST</entry> <entry align="center">OPTIONS</entry> </row> </thead> <tbody> <row> <entry>vpn</entry> <entry>tun0</entry> <entry>192.168.1.255</entry> <entry></entry> </row> </tbody> </tgroup> </table> <para>In /etc/shorewall/tunnels on system B, we have:</para> <table> <title>/etc/shorewall/tunnels system B</title> <tgroup cols="4"> <thead> <row> <entry align="center">TYPE</entry> <entry align="center">ZONE</entry> <entry align="center">GATEWAY</entry> <entry align="center">GATEWAY ZONE</entry> </row> </thead> <tbody> <row> <entry>openvpn</entry> <entry>net</entry> <entry>206.191.148.9</entry> <entry></entry> </row> </tbody> </tgroup> </table> <para>And in the OpenVPN config on system B:</para> <programlisting>dev tun local 134.28.54.2 remote 206.162.148.9 ifconfig 192.168.99.2 192.168.99.1 up ./route-b.up tls-client ca ca.crt cert my-b.crt key my-b.key comp-lzo verb 5</programlisting> <para>You will need to allow traffic between the <quote>vpn</quote> zone and the <quote>loc</quote> zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file:</para> <table> <title>/etc/shorewall/policy system A & B</title> <tgroup cols="4"> <thead> <row> <entry align="center">SOURCE</entry> <entry align="center">DEST</entry> <entry align="center">POLICY</entry> <entry align="center">LOG LEVEL</entry> </row> </thead> <tbody> <row> <entry>loc</entry> <entry>vpn</entry> <entry>ACCEPT</entry> <entry></entry> </row> <row> <entry>vpn</entry> <entry>loc</entry> <entry>ACCEPT</entry> <entry></entry> </row> </tbody> </tgroup> </table> <para>On both systems, restart Shorewall and start OpenVPN. The systems in the two masqueraded subnetworks can now talk to each other.</para> </section> </article>