Hello, hope someone can help me, with the following problem. I want to create an OpenVPN tunnel between 192.168.1.248 and 192.168.20.248. The problem, the OpenVPN tunnel has only one interface and should route the internal network. Network1 ||192.168.1.248||----||192.168.1.247-10.1.1.1||----||10.1.1.254-WAN-IP||---->INTERNET Network2 ||192.168.20.248||----||192.168.20.247-10.1.1.1||----||10.1.1.254-WAN-IP||---->INTERNET If i create an host route an both sides. So that one vpn server can reach the other one directly, everything works fine except i can''t reach the vpn-server 192.168.1.248 from 192.168.20.0/24 and the vpn-server 192.168.20.248 from 192.168.1.0/24, because of the host route. So i thought, i only route port 1194 (openvpn) directly to the other side (via default gateway), everything else should go over the OpenVPN tunnel. Now to the question :-), it is possible with shorewall and if yes, how can it be done. I already found the following with help from LARTC: - Create another routing table in /etc/iproute2/rt_table 1 vpngw1 - Add routing entry to the new table: ip route add default via 192.168.20.247 dev eth0 table vpngw1 - Create IPTables Rule iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 1194 -j MARK --set-mark 1 - Create IP Rule ip rule add from all fwmark 1 table vpngw1 So i thought packages from the vpn-server to the other side, would get marked and use the routing table vpngw1, everything else should go over the OpenVPN Tunnel. But it doesn''t work as expected. Hope someone can help me. Thanks Stefan D. ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
No idea/ hint? Stefan Drees schrieb:> Hello, > hope someone can help me, with the following problem. > I want to create an OpenVPN tunnel between 192.168.1.248 > and 192.168.20.248. The problem, the OpenVPN tunnel has > only one interface and should route the internal network. > > Network1 > ||192.168.1.248||----||192.168.1.247-10.1.1.1||----||10.1.1.254-WAN-IP||---->INTERNET > > Network2 > ||192.168.20.248||----||192.168.20.247-10.1.1.1||----||10.1.1.254-WAN-IP||---->INTERNET > > > If i create an host route an both sides. So that one vpn server > can reach the other one directly, everything works fine except > i can''t reach the vpn-server 192.168.1.248 from 192.168.20.0/24 > and the vpn-server 192.168.20.248 from 192.168.1.0/24, because > of the host route. > > So i thought, i only route port 1194 (openvpn) directly to the other side > (via default gateway), everything else should go over the OpenVPN tunnel. > > Now to the question :-), it is possible with shorewall and if yes, how > can it be done. > > I already found the following with help from LARTC: > - Create another routing table in /etc/iproute2/rt_table > 1 vpngw1 > - Add routing entry to the new table: > ip route add default via 192.168.20.247 dev eth0 table vpngw1 > - Create IPTables Rule > iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 1194 -j MARK > --set-mark 1 > - Create IP Rule > ip rule add from all fwmark 1 table vpngw1 > > So i thought packages from the vpn-server to the other side, would get > marked > and use the routing table vpngw1, everything else should go over the > OpenVPN Tunnel. > > But it doesn''t work as expected. > > Hope someone can help me. > > Thanks > Stefan D. > > > ------------------------------------------------------------------------------ > Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA > -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise > -Strategies to boost innovation and cut costs with open source participation > -Receive a $600 discount off the registration fee with the source code: SFAD > http://p.sf.net/sfu/XcvMzF8H > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Stefan Drees wrote:> No idea/ hint?I didn''t understand the problem so I was unable to offer any solution. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H