Update OPENVPN to use 'route' command rather than 'up' command

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3712 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-03-22 22:38:38 +00:00
parent cd6664d4dd
commit 59686cabbf
3 changed files with 50 additions and 27 deletions

View File

@ -21,7 +21,7 @@
</author>
</authorgroup>
<pubdate>2006-03-19</pubdate>
<pubdate>2006-03-21</pubdate>
<copyright>
<year>2003</year>
@ -181,7 +181,7 @@ openvpn:tcp:7777 net 134.28.54.2</programlisting>
local 206.162.148.9
remote 134.28.54.2
ifconfig 192.168.99.1 192.168.99.2
up ./route-a.up
route 10.0.0.0 255.0.0.0 192.168.99.2
tls-server
dh dh1024.pem
ca ca.crt
@ -217,7 +217,7 @@ openvpn net 206.191.148.9</programlisting>
local 134.28.54.2
remote 206.162.148.9
ifconfig 192.168.99.2 192.168.99.1
up ./route-b.up
route 192.168.1.0 255.255.255.0 192.168.99.1
tls-client
ca ca.crt
cert my-b.crt

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2006-03-20</pubdate>
<pubdate>2006-03-21</pubdate>
<copyright>
<year>2006</year>
@ -110,7 +110,8 @@
<para><filename class="devicefile">eth0</filename> -- conntected to
the switch in my office. That switch is cabled to a second switch in
my wife's office where there is my wife's desktop and her networked
printer.</para>
printer (sure which there had been wireless back when I strung that
CAT-5 cable halfway across the house).</para>
</listitem>
<listitem>
@ -279,7 +280,7 @@ done</programlisting>
</section>
<section id="Dom0">
<title>Dom0 Shorewall Configuration</title>
<title>Dom0 Configuration</title>
<para>The goals for the Shorewall configuration in Dom0 are as
follows:</para>
@ -349,7 +350,7 @@ SECTION NEW
</section>
<section id="Firewall">
<title>Firewall DomU Shorewall Configuration</title>
<title>Firewall DomU Configuration</title>
<para>In the firewall DomU, I run a conventional three-interface
firewall with Proxy ARP DMZ -- it is very similar to the firewall
@ -493,7 +494,10 @@ vpn tun+ -
206.124.146.180 $EXT_IF 192.168.1.6 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/masq</filename>:</para>
<para><filename>/etc/shorewall/masq (Note the cute drick here and in
the <filename>proxyarp</filename> file that follows that allows me to
access the DSL "Modem" using it's default IP address
(192.168.1.1))</filename>:</para>
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
@ -697,18 +701,20 @@ DROP net:82.96.96.3 all
<section id="Wireless">
<title>Wireless Gateway DomU Configuration</title>
<para>The Shorewall configuration in the 'wireless' DomU is very
simple-minded. It's sole purpose is to protect the local network from
the Wireless net by restricting wireless access to clients that have
established an <ulink url="OPENVPN.html">OpenVPN</ulink> Bridged
connection. This configuration illustrates that you can use any Linux
system on your internal LAN as a wireless gateway -- it doesn't have to
be your main firewall (and it doesn't have to run in a Xen domain
either). The wireless gateway runs a DHCP server that assigns wireless
hosts an IP address in 192.168.3.0/24 -- The OpenVPN server running on
the gateway assigns its clients an IP address in 192.168.1.0/24 so,
thanks to bridging, these clients appear to be physically attached to
the LAN).</para>
<para>The Shorewall configuration in the 'wireless' DomU is very simple.
It's sole purpose is to protect the local network from the Wireless net
by restricting wireless access to clients that have established an
<ulink url="OPENVPN.html">OpenVPN</ulink> Bridged connection. This
configuration illustrates that you can use any system on your internal
LAN as a wireless gateway -- it doesn't have to be your main firewall
(and it doesn't have to run in a Xen domain either and it doesn't even
have to run Linux). Our wireless gateway runs a DHCP server that assigns
wireless hosts an IP address in 192.168.3.0/24 -- The OpenVPN server
running on the gateway assigns its clients an IP address in
192.168.1.0/24 so, thanks to bridging, these clients appear to be
physically attached to the LAN). That allows our two laptops to have the
same IP address in 192.168.1.0/24 regardless of whether they are
connected to the LAN directory or are connected wirelessly.</para>
<graphic align="center" fileref="images/Xen6.png" />
@ -926,7 +932,8 @@ loc br0 192.168.1.255 dhcp,routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para>
<para><filename>/etc/shorewall/policy</filename> (again, note the use
of an ACCEPT all-&gt;all policy):</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
@ -953,8 +960,24 @@ ACCEPT eth4 00:0f:66:ef:b6:f6 192.168.3.8
ACCEPT eth4 00:12:79:3d:fe:2e 192.168.3.6 #Work Laptop
ACCEPT eth4 - 192.168.3.254 #Broadcast/Multicast from us
DROP:info eth4 - 192.168.3.0/24
DROP:info eth4 - 169.254.0.0/16 #Stop autoconfigured hosts.
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para>The routing table on the wireless gateway is as follows:</para>
<blockquote>
<programlisting>192.168.3.0/24 dev eth4 proto kernel scope link src 192.168.3.254
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.7
169.254.0.0/16 dev eth4 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.1.254 dev br0</programlisting>
</blockquote>
<para>The route to 169.254.0.0/16 is automatically generated by the
SuSE network scripts so I include that network in the
<filename>/etc/shorewall/maclist</filename> file for
completeness.</para>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
@ -962,6 +985,7 @@ DROP:info eth4 - 192.168.3.0/24
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT Wifi loc:192.168.1.5 udp 123 #Allow NTP before OpenVPN is up.
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
@ -970,10 +994,9 @@ SECTION NEW
<blockquote>
<para><filename>/etc/openvpn/server-bridge</filename> (Note that I
prefer to push two /1 routes rather than to use the <emphasis
role="bold">redirect-gateway</emphasis> directive on the client
systems; I find that the latter occasionally leaves the remote system
with <emphasis role="bold">no</emphasis> default gateway while my
approach always works):</para>
role="bold">redirect-gateway</emphasis> directive; I find that the
latter occasionally leaves the remote system with <emphasis
role="bold">no</emphasis> default gateway):</para>
<programlisting>dev tap0
@ -1012,7 +1035,7 @@ verb 3
push "route 0.0.0.0 128.0.0.0 192.168.1.254"
push "route 128.0.0.0 128.0.0.0 192.168.1.254"</programlisting>
<para><filename>/etc/openvpn/bridge-clients/tipper.shorewall.net</filename>
<para><filename>/etc/bridge-clients/tipper.shorewall.net</filename>
(used to assign a fixed IP address to clients -- there are other
similar files in this directory):</para>