Add openvpn tunnel support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@426 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -13,3 +13,9 @@ Changes since 1.3.13
    /etc/shorewall/masq.
 
 6. Restore $dev.$vid naming of VLAN interfaces.
+
+7. Updated copyrights for 2003.
+
+8. Added support for openvpn tunnels on arbitrary ports
+
+9. Added support for openvpn with NAT on the other end.

Shorewall/firewall

@@ -1424,6 +1424,29 @@ setup_tunnels() # $1 = name of tunnels file
 	echo "   PPTP server defined."
     }
 
+    setup_one_openvpn() # $1 = gateway, $2 = kind
+    {
+	case $2 in
+	    *:*)
+		p=${2#*:}
+		;;
+	    *)
+		p=5000
+		;;
+	esac
+
+	if [ $3 = openvpn ]; then
+	    sport="--sport $p"
+	else
+	    sport=
+	fi
+
+	addrule $inchain  -p udp -s $1 $sport --dport $p -j ACCEPT
+	addrule $outchain -p udp -d $1 $sport --dport $p -j ACCEPT
+
+	echo "   OPENVPN tunnel to $1:$p defined."
+    }
+
     strip_file tunnels $1
 
     while read kind z gateway z1; do
@@ -1451,6 +1474,12 @@ setup_tunnels() # $1 = name of tunnels file
 		pptpserver|PPTPSERVER)
 		    setup_pptp_server
 		    ;;
+		openvpn*|OPENVPN*)
+		    setup_one_openvpn $gateway $kind openvpn
+		    ;;
+		openvpnnat*|OPENVPNNAT*)
+		    setup_one_openvpn $gateway $kind openvpnnat
+		    ;;
 		*)
 		    error_message "Tunnels of type $kind are not supported:" \
 			"Tunnel \"$tunnel\" Ignored"

Shorewall/releasenotes.txt

@@ -24,7 +24,10 @@ New features include:
    convention (e.g., "eth0.0") has been restored. This capability was
    inadvertently broken in version 1.3.12.
 
-4) When an interface name is entered in the SUBNET column of the
+4) Support has been added for defining OpenVPN tunnels in the
+   /etc/shorewall/tunnels file.
+
+5) When an interface name is entered in the SUBNET column of the
    /etc/shorewall/masq file, Shorewall previously masqueraded traffic
    from only the first subnet defined on that interface. It did not
    masquerade traffic from:

Shorewall/tunnels

@@ -1,16 +1,22 @@
 #
 # Shorewall 1.3 - /etc/shorewall/tunnels
 #
-#	This file defines IPSEC, GRE and IPIP tunnels.
+#	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
 #
-#	IPIP and GRE tunnels must be configured on the firewall/gateway itself.
+#	IPIP, GRE and OPENVPN tunnels must be configured on the
-#	IPSEC endpoints may be defined on the firewall/gateway or on an
+#	firewall/gateway itself. IPSEC endpoints may be defined
-#	internal system.
+#	on the firewall/gateway or on an internal system.
 #
 #	The columns are:
 #
 #	TYPE	    --	must start in column 1 and be "ipsec", "ipsecnat","ip"
-#			"gre","pptpclient" or "pptpserver"
+#			"gre", "pptpclient", "pptpserver", "openvpn" or
+#			"openvpnnat"
+#
+#			If type is "openvpn" or "openvpnnam", it may optionally
+#			be followed by ":" and the port number used by the
+#			tunnel. If no ":" and port number are included, then
+#			the default port of 5000 will be used
 #
 #	ZONE	    --	The zone of the physical interface through which
 #			tunnel traffic passes. This is normally your internet
@@ -20,10 +26,12 @@
 #			remote getway has no fixed address (Road Warrior)
 #			then specify the gateway as 0.0.0.0/0.
 #
-#	GATEWAY ZONES --	Optional. If the gateway system specified in the third
+#	GATEWAY 
+#	ZONES --	Optional. If the gateway system specified in the third
 #			column is a standalone host then this column should
-#			contain a comma-separated list of the names of the zones that
+#			contain a comma-separated list of the names of the
-#			the host might be in. This column only applies to IPSEC tunnels.
+#			zones that the host might be in. This column only
+#			applies to IPSEC tunnels.
 #
 #		Example 1:
 #
@@ -71,5 +79,12 @@
 #
 #			pptpserver	net
 #
-# TYPE			ZONE	GATEWAY		GATEWAY ZONE
+#		Example 7:
+#
+#			OPENVPN tunnel. The remote gateway is 4.33.99.124 and
+#			openvpn uses port 7777.
+#
+#			openvpn:7777	net	4.33.99.124
+#
+# TYPE			ZONE	GATEWAY		GATEWAY ZONE	PORT
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE