2004-02-14 19:06:39 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
|
<article id="OPENVPN">
|
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
|
|
<articleinfo>
|
|
|
|
|
<title>OpenVPN Tunnels</title>
|
|
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
|
<author>
|
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
|
</author>
|
|
|
|
|
|
|
|
|
|
<author>
|
|
|
|
|
<firstname>Simon</firstname>
|
|
|
|
|
|
|
|
|
|
<surname>Mater</surname>
|
|
|
|
|
</author>
|
|
|
|
|
</authorgroup>
|
|
|
|
|
|
2004-10-14 21:20:17 +02:00
|
|
|
<pubdate>2004-10-12</pubdate>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<copyright>
|
|
|
|
|
<year>2003</year>
|
|
|
|
|
|
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
|
|
|
|
|
|
<holder>Simon Mater</holder>
|
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
2004-09-24 00:50:12 +02:00
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
|
License</ulink></quote>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</legalnotice>
|
|
|
|
|
</articleinfo>
|
|
|
|
|
|
|
|
|
|
<para>OpenVPN is a robust and highly configurable VPN (Virtual Private
|
|
|
|
|
Network) daemon which can be used to securely link two or more private
|
|
|
|
|
networks using an encrypted tunnel over the internet. OpenVPN is an Open
|
|
|
|
|
Source project and is <ulink
|
2004-09-24 00:50:12 +02:00
|
|
|
url="http://openvpn.sourceforge.net/license.html">licensed under the
|
|
|
|
|
GPL</ulink>. OpenVPN can be downloaded from <ulink
|
|
|
|
|
url="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</ulink>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<para>OpenVPN support was added to Shorewall in version 1.3.14.</para>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>Bridging two Masqueraded Networks</title>
|
|
|
|
|
|
|
|
|
|
<para>Suppose that we have the following situation:</para>
|
|
|
|
|
|
|
|
|
|
<graphic fileref="images/TwoNets1.png" />
|
|
|
|
|
|
|
|
|
|
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
|
|
|
|
|
communicate with the systems in the 10.0.0.0/8 network. This is
|
2004-09-24 00:50:12 +02:00
|
|
|
accomplished through use of the
|
|
|
|
|
<filename>/etc/shorewall/tunnels</filename> file and the
|
|
|
|
|
<filename>/etc/shorewall/policy file</filename> and OpenVPN.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<para>While it was possible to use the Shorewall start and stop script to
|
|
|
|
|
start and stop OpenVPN, I decided to use the init script of OpenVPN to
|
|
|
|
|
start and stop it.</para>
|
|
|
|
|
|
|
|
|
|
<para>On each firewall, you will need to declare a zone to represent the
|
2004-09-24 00:50:12 +02:00
|
|
|
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
|
|
|
|
|
and declare it in <filename>/etc/shorewall/zones</filename> on both
|
|
|
|
|
systems as follows.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<blockquote>
|
|
|
|
|
<para><filename>/etc/shorewall/zones</filename> — Systems A &
|
|
|
|
|
B</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<programlisting>#ZONE DISPLAY COMMENTS
|
|
|
|
|
vpn VPN Remote subnet</programlisting>
|
|
|
|
|
</blockquote>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
|
|
|
|
|
role="bold">vpn</emphasis> zone.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<blockquote>
|
|
|
|
|
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
|
|
|
|
A:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
|
vpn tun0</programlisting>
|
|
|
|
|
</blockquote>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
|
|
|
|
|
the following:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<blockquote>
|
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
|
openvpn net 134.28.54.2</programlisting>
|
|
|
|
|
</blockquote>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<note>
|
|
|
|
|
<para>Some OpenVPN clients (notabley on <trademark>Windows</trademark>)
|
|
|
|
|
do not use the same source and destination ports which can cause
|
2004-10-14 21:20:17 +02:00
|
|
|
problems. If system B is a Windows system or if you find that Shorewall
|
|
|
|
|
is blocking the UDP port 5000 traffic from the remote gateway, then you
|
|
|
|
|
will want the following entry in
|
|
|
|
|
<filename>/etc/shorewall/tunnels</filename> instead of the one
|
2004-09-24 00:50:12 +02:00
|
|
|
above:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
|
generic:udp:5000 net 134.28.54.2</programlisting>
|
|
|
|
|
</note>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<para>This entry in <filename>/etc/shorewall/tunnels</filename> opens the
|
|
|
|
|
firewall so that OpenVPN traffic on the default port 5000/udp will be
|
|
|
|
|
accepted to/from the remote gateway. If you change the port used by
|
|
|
|
|
OpenVPN to 7777, you can define /etc/shorewall/tunnels like this:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<blockquote>
|
2004-09-30 17:30:35 +02:00
|
|
|
<para>/etc/shorewall/tunnels with port 7777:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
2004-09-30 17:30:35 +02:00
|
|
|
openvpn:7777 net 134.28.54.2</programlisting>
|
2004-09-24 00:50:12 +02:00
|
|
|
</blockquote>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<para>This is the OpenVPN config on system A:</para>
|
|
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<blockquote>
|
|
|
|
|
<programlisting>dev tun
|
2004-02-14 19:06:39 +01:00
|
|
|
local 206.162.148.9
|
|
|
|
|
remote 134.28.54.2
|
|
|
|
|
ifconfig 192.168.99.1 192.168.99.2
|
|
|
|
|
up ./route-a.up
|
|
|
|
|
tls-server
|
|
|
|
|
dh dh1024.pem
|
|
|
|
|
ca ca.crt
|
|
|
|
|
cert my-a.crt
|
|
|
|
|
key my-a.key
|
|
|
|
|
comp-lzo
|
|
|
|
|
verb 5</programlisting>
|
2004-09-24 00:50:12 +02:00
|
|
|
</blockquote>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the
|
2004-09-24 00:50:12 +02:00
|
|
|
<emphasis role="bold">vpn</emphasis> zone</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<blockquote>
|
|
|
|
|
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
|
|
|
|
B:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
|
vpn tun0 192.168.1.255</programlisting>
|
|
|
|
|
</blockquote>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<para>In <filename>/etc/shorewall/tunnels</filename> on system B, we
|
|
|
|
|
have:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<blockquote>
|
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
|
openvpn net 206.191.148.9</programlisting>
|
|
|
|
|
</blockquote>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<para>And in the OpenVPN config on system B:</para>
|
|
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<blockquote>
|
|
|
|
|
<programlisting>dev tun
|
2004-02-14 19:06:39 +01:00
|
|
|
local 134.28.54.2
|
|
|
|
|
remote 206.162.148.9
|
|
|
|
|
ifconfig 192.168.99.2 192.168.99.1
|
|
|
|
|
up ./route-b.up
|
|
|
|
|
tls-client
|
|
|
|
|
ca ca.crt
|
|
|
|
|
cert my-b.crt
|
|
|
|
|
key my-b.key
|
|
|
|
|
comp-lzo
|
|
|
|
|
verb 5</programlisting>
|
2004-09-24 00:50:12 +02:00
|
|
|
</blockquote>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<para>You will need to allow traffic between the <quote>vpn</quote> zone
|
|
|
|
|
and the <quote>loc</quote> zone on both systems -- if you simply want to
|
|
|
|
|
admit all traffic in both directions, you can use the policy file:</para>
|
|
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<blockquote>
|
|
|
|
|
<para><filename>/etc/shorewall/policy </filename>on systems A &
|
|
|
|
|
B</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<programlisting>#SOURCE DEST POLICY LOG LEVEL
|
|
|
|
|
loc vpn ACCEPT
|
|
|
|
|
vpn loc ACCEPT</programlisting>
|
|
|
|
|
</blockquote>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<para>On both systems, restart Shorewall and start OpenVPN. The systems in
|
|
|
|
|
the two masqueraded subnetworks can now talk to each other.</para>
|
|
|
|
|
</section>
|
|
|
|
|
</article>
|
