Dear Tom, as you suggested me in a precedent post I have utilized openvpn to create an encrypted vpn tunnel between two networks in two differet places I have followed your inbstructions in shorewall documentation and this system works great since a month! Now I want to provide remote access to lan for my windows clients, I would like to use openvpn again, I want to create an ethernet bridging so when they use the vpn they can browse the lan as they was locally connected, I''m following the istructions provided by the following link http://openvpn.sourceforge.net/INSTALL-win32.html I have creating the following bridging script: #!/bin/bash modprobe tun modprobe bridge openvpn --mktun --dev tap0 openvpn --mktun --dev tap1 brctl addbr br0 brctl addif br0 eth1 brctl addif br0 tap0 brctl addif br0 tap1 ifconfig tap0 0.0.0.0 promisc up ifconfig tap1 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up ifconfig br0 10.10.11.1 netmask 255.255.255.0 broadcast 10.10.11.255 I have a three interfaces firewall in which eth0 is the default gateway for my lan and has ip address 10.10.11.1, now I must insert the following firewalling rules: iptables -A INPUT -i tap+ -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT from shorewall point of view this is as: add in interfaces the line vpn1 tap0 vpn2 tap1 - br0 10.10.11.255 add in zones: vpn1 VPN1 vpn2 VPN2 add in tunnels: openvpn:5003 net 0.0.0.0/0 vpn1 (road warriors must connect) openvpn:5004 net 0.0.0.0/0 vpn2 in policy loc vpn1 ACCEPT loc vpn2 ACCEPT vpn1 loc ACCEPT vpn2 loc ACCEPT in shorewall.conf BRIDGING=Yes in hosts (pephaps this is unnecessary): vpn1 br0:tap1 vpn2 br0:tap2 is my configuration right? Thanks, Nicola
Nicola Murino wrote:> > I have creating the following bridging script:<script snipped> I can''t comment on the above since I have not used OpenVPN -- I haven''t a clue whether it works as a bridge.> > > I have a three interfaces firewall in which eth0 is the default gateway > for my lan and has ip address 10.10.11.1, > > now I must insert the following firewalling rules: > > iptables -A INPUT -i tap+ -j ACCEPT > iptables -A INPUT -i br0 -j ACCEPT > iptables -A FORWARD -i br0 -j ACCEPT > > from shorewall point of view this is as: > add in interfaces the line > > vpn1 tap0 > vpn2 tap1 > - br0 10.10.11.255No. You must not define bridged devices in the /etc/shorewall/interfaces file. Rather, place the entries in /etc/shorewall/hosts as you have later on.> > add in zones: > > vpn1 VPN1 > vpn2 VPN2 > > add in tunnels: > > openvpn:5003 net 0.0.0.0/0 vpn1 (road warriors must connect) > openvpn:5004 net 0.0.0.0/0 vpn2 > > in policy > > loc vpn1 ACCEPT > loc vpn2 ACCEPT > vpn1 loc ACCEPT > vpn2 loc ACCEPT > > in shorewall.conf > > BRIDGING=Yes > > in hosts (pephaps this is unnecessary):No -- it is manditory!!> > vpn1 br0:tap1 > vpn2 br0:tap2 > > > is my configuration right?Your configuration is much more complex than it needs to be: /etc/shorewall/zones: loc Local /etc/shorewall/interfaces loc br0 10.10.11.255 routeback /etc/shorewall/tunnels openvpn:5003 net 0.0.0.0/0 openvpn:5004 net 0.0.0.0/0 The above works without the Shorewall bridging code. This of course assumes that the bridging works in the first place. I wouldn''t have thought that ethernet headers would have been transferred across an OpenVPN tunnel but again, I haven''t used one. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net