Hi, We''re using openvpn on our firewall box to contact several networks. The idea is to use it for approx 10-15 vpn''s.. But.. Do we have to define a tunX device and an interface + zone for ''each'' VPN connection? It seems to me yes, but .. Doesn''t that make the interfaces/zones file a little bit complex or overpopulated? Just wondering because in my previous experiences I''ve never had to use more then 4 zones.. Greetings, Kristof
--On Tuesday, February 25, 2003 10:08:40 PM +0100 Kristof Hardy <kristof.hardy@catsanddogs.com> wrote:> Hi, > > We''re using openvpn on our firewall box to contact several networks. > The idea is to use it for approx 10-15 vpn''s.. > > But.. Do we have to define a tunX device and an interface + zone for > ''each'' VPN connection? It seems to me yes, but .. Doesn''t that make the > interfaces/zones file a little bit complex or overpopulated? > > Just wondering because in my previous experiences I''ve never had to use > more then 4 zones..I have no idea what question you are asking here. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Tuesday, February 25, 2003 10:08:40 PM +0100 Kristof Hardy <kristof.hardy@catsanddogs.com> wrote:> Hi, > > We''re using openvpn on our firewall box to contact several networks. > The idea is to use it for approx 10-15 vpn''s.. > > But.. Do we have to define a tunX device and an interface + zone for > ''each'' VPN connection? It seems to me yes, but .. Doesn''t that make the > interfaces/zones file a little bit complex or overpopulated? > > Just wondering because in my previous experiences I''ve never had to use > more then 4 zones..Ok -- I''ve read this post 4 or 5 more times and I think you are asking how to lump several tunnels into one zone? a) Define zone Z in /etc/shorewall/zones b) Add an entry to the interfaces file as: - tun+ - <options> c) In /etc/shorewall/hosts: Z tun+:<subnet 1>,<subnet 2>,... <options> Does that answer your question? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net