Shorewall users - Jul 2008 - Routing through an openvpn tunnel.

Folk,

A tunnel as described in openvpn.man, Example  2 
works between my home 10.4.0.1 and work 10.4.0.2 
machines.
"ping 10.4.0.1" from 10.4.0.2
and 
"ping 10.4.0.2" from 10.4.0.1
succeed as expected.

10.4.0.1 and peasthope.yi.org both refer to the 
machine at home where mail is accumulated by fetchmail.
A machine on the LAN connected to 10.4.0.2 can 
retrieve mail from peasthope.yi.org via the Internet.
But, of course, I prefer to retrieve through the tunnel.

As I understand, the section of openvpn.man entitled 
"Routing" addresses this, but here, routing should be 
specified using shorewall rather than the iptables 
command in openvpn.man.  I''ve read 
http://www.shorewall.net/OPENVPN.html
and remain uncertain about routing.
Are the policies
#SOURCE        DEST          POLICY          LOG LEVEL
loc            vpn           ACCEPT
vpn            loc           ACCEPT
sufficient to get the routing?
Is routing a separate matter?

Thanks,                 ... Peter E.

-- 
http://members.shaw.ca/peasthope/
http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

PETER EASTHOPE wrote:
> Folk,
> 
> A tunnel as described in openvpn.man, Example  2 
> works between my home 10.4.0.1 and work 10.4.0.2 
> machines.
> "ping 10.4.0.1" from 10.4.0.2
> and 
> "ping 10.4.0.2" from 10.4.0.1
> succeed as expected.
> 
> 10.4.0.1 and peasthope.yi.org both refer to the 
> machine at home where mail is accumulated by fetchmail.
> A machine on the LAN connected to 10.4.0.2 can 
> retrieve mail from peasthope.yi.org via the Internet.
> But, of course, I prefer to retrieve through the tunnel.
> 
> As I understand, the section of openvpn.man entitled 
> "Routing" addresses this, but here, routing should be 
> specified using shorewall rather than the iptables 
> command in openvpn.man.
No and no. You don''t specify routing in Shorewall or using iptables.
You
specify routing via OpenVPN.
> I''ve read 
> http://www.shorewall.net/OPENVPN.html
> and remain uncertain about routing.
> Are the policies
> #SOURCE        DEST          POLICY          LOG LEVEL
> loc            vpn           ACCEPT
> vpn            loc           ACCEPT
> sufficient to get the routing?
No.
> Is routing a separate matter?
Yes

There are only two cases where Shorewall gets involved in routing:

a) Entry in /etc/shorewall/proxy_arp with the NOROUTE column set to
''Yes''.
Shorewall will create a host route to the internal system.
b) Entry in /etc/shorewall/providers. Shorewall creates an additional 
routing table and some rules and may replace the default route in the main 
table.

Again, those are the only instances where Shorewall is involved in route 
configuration. Please see http://www.shorewall.net/Shorewall_and_Routing.html.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/