[This email is either empty or too large to be displayed at this time]
[This email is either empty or too large to be displayed at this time]
Hi,
I''m experimenting openvpn bridging, I would like to use it for
roadwarriors. I''m using a test machine and I have the following
situation:
net
|
|
|
fw
|
|
loc
fw has two ethernet card:
eth0 192.168.31.128
eth1 10.5.0.1 (this is the address in non bridged conditions, it is
unconfigured when I setup bridge)
following the openvpn readme I setup a bridge with the following script:
#!/bin/bash
modprobe tun
modprobe bridge
openvpn --mktun --dev tap0
openvpn --mktun --dev tap1
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
ifconfig br0 10.5.0.1 netmask 255.255.255.0 broadcast 10.5.0.255
In this example I''m able to bridge a vpn client identified by tap0
I configure openvpn with the following main script:
local 192.168.31.128
port 8888
dev tap0
# crypto config
secret key.txt
# restart control
persist-key
persist-tun
ping-timer-rem
ping-restart 60
ping 10
# compression
comp-lzo
# UID
user nobody
group nobody
# verbosity
verb 3
and I use a similar script fow windows client.
If I work in a non-firewalled enviroment bridging works fine, now I want
to use this setup with shorewall.
openvpn readme suggests the following iptables rules:
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
can you help me to do a complete shorewall setup? If it is possible I
would like also setup br0 interface using shorewall and not the script I
posted,
thanks
Nicola
On Wed, 2004-12-22 at 18:42 +0100, Nicola Murino wrote:> can you help me to do a complete shorewall setup?If you are asking us to design and write your Shorewall configuration for you, then the answer is no.> If it is possible I > would like also setup br0 interface using shorewall and not the script I > posted,You set it up just like any other bridge -- see http://shorewall.net/bride.html. Please at least try to do it yourself then if you have specific questions, we will attempt to help you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 2004-12-22 at 09:48 -0800, Tom Eastep wrote:> On Wed, 2004-12-22 at 18:42 +0100, Nicola Murino wrote: > > > can you help me to do a complete shorewall setup? > > If you are asking us to design and write your Shorewall configuration > for you, then the answer is no. > > > If it is possible I > > would like also setup br0 interface using shorewall and not the script I > > posted, > > You set it up just like any other bridge -- see > http://shorewall.net/bride.html. Please at least try to do it yourself > then if you have specific questions, we will attempt to help you.Note that you can probably get by with just the simple bridge configuration (http://shorewall.net/SimpleBridge.html). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>> can you help me to do a complete shorewall setup? > > If you are asking us to design and write your Shorewall configuration > for you, then the answer is no. > >> If it is possible I >> would like also setup br0 interface using shorewall and not the script I >> posted, > > You set it up just like any other bridge -- see > http://shorewall.net/bride.html. Please at least try to do it yourself > then if you have specific questions, we will attempt to help you. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >This is a working openvpn/shorewall bridgind setup: two script in /etc/bridge: bridgeon #!/bin/bash ifconfig eth1 down openvpn --mktun --dev tap0 openvpn --mktun --dev tap1 brctl addbr br0 brctl addif br0 eth1 brctl addif br0 tap0 brctl addif br0 tap1 ifconfig tap0 0.0.0.0 promisc up ifconfig tap1 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up ifconfig br0 10.88.22.253 netmask 255.255.255.0 broadcast 10.88.22.255 bridgeoff #!/bin/bash brctl delif br0 eth1 brctl delif br0 tap0 brctl delif br0 tap1 ifconfig br0 down brctl delbr br0 ifconfig eth1 down ifconfig tap0 down openvpn --rmtun --dev tap0 openvpn --rmtun --dev tap1 ifconfig eth1 10.88.22.253 netmask 255.255.255.0 broadcast 10.88.22.255 shorewall side configuration: tunnels: openvpn:8888 net 0.0.0.0/0 openvpn:8889 net 0.0.0.0/0 zones: net Net Internet loc Local Local networks no need a vpn zone, vpn client are bridged in loc interfaces: net eth0 10.88.44.255 loc br0 detect init: /etc/bridge/bridgeon /etc/init.d/openvpn start stop: /etc/init.d/openvpn stop /etc/bridge/bridgeoff shorewall restart give error: Processing /etc/shorewall/init ... Thu Dec 23 14:54:41 2004 0: Note: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16) Thu Dec 23 14:54:41 2004 1: Note: Attempting fallback to kernel 2.2 TUN/TAP interface Thu Dec 23 14:54:41 2004 2: Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2) Thu Dec 23 14:54:41 2004 3: Exiting Thu Dec 23 14:54:41 2004 0: Note: Cannot ioctl TUNSETIFF tap1: Device or resource busy (errno=16) Thu Dec 23 14:54:41 2004 1: Note: Attempting fallback to kernel 2.2 TUN/TAP interface Thu Dec 23 14:54:41 2004 2: Cannot open TUN/TAP dev /dev/tap1: No such file or directory (errno=2) Thu Dec 23 14:54:41 2004 3: Exiting device br0 already exists; can''t create bridge with the same name device eth1 is already a member of a bridge; can''t enslave it to bridge br0. device tap0 is already a member of a bridge; can''t enslave it to bridge br0. device tap1 is already a member of a bridge; can''t enslave it to bridge br0. * WARNING: "openvpn" has already been started. This error is due to openvpn is still up when shorewall try to process init file, when I issue a shorewall stop openvpn go down and so tap devices are not busy I must use shorewall stop && shorewall start if I want reload my firewall configuration, there is a workaround? Nicola
On Thu, 23 Dec 2004, Nicola Murino wrote:> > I must use shorewall stop && shorewall start if I want reload my firewall > configuration, there is a workaround? >Yes -- abandon the silly idea of configuring your bridge and starting OpenVPN as part of "shorewall start" (and stopping OpenVPN and removing the bridge in "shorewall stop"). a) The bridge should be configured along with your other network devices. b) OpenVPN should be started after Shorewall has started during bootup. c) OpenVPN should be stopped before Shorewall is stopped during system shutdown. d) The bridge should be taken down along the rest of your network devices during system shutdown. If you persist on your current path, you need to realize that your ''init'' script is invoked at the beginning of the ''start'' command and also at the beginning of the ''restart'' command! In the latter case, the bridge and OpenVPN are usually already running and you have to make allowances in your script for that. One way is to check $COMMAND -- if it isn''t ''start'' then don''t do anything. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net