Shorewall users - Nov 2004 - Bridges, ebtables and OpenVPN [non member]

Hi all,

I''m trying to use OpenVPN as a VPN solution on a firewall running 
Shorewall. The IPSEC VPN I tried first has shown a little bit unstable 
under several conditions, especially with Windows clients.

As OpenVPN is best run in ''bridged'' mode (see 
http://fedoranews.org/contributors/florin_andrei/openvpn/), I became 
interested in the bridge capabilities of Shorewall 2.x.

My first question goes to Thomas: I don''t know anything about the magic
you have performed to get bridging and iptables working, but I''m 
wondering why you aren''t using ebtables (see 
http://ebtables.sourceforge.net/).

My second question is directed to the community: Has anybody tried to 
use OpenVPN in bridged mode on a Shorewall firewall? I''m not sure 
whether I need Shorewall bridge capabilities at all, because the OpenVPN 
setup just bridges a real interface to several virtual TUN interfaces.

On the other hand, one would want filtering capabilities on these 
interfaces as the external VPN clients are less trusted than the 
internal local clients.

Any hints greatly appreciated.

Michael

Hi,
On Wed, 2004-11-24 at 06:25, Michael Kunze wrote:
> Hi all,
> 
> I''m trying to use OpenVPN as a VPN solution on a firewall running 
> Shorewall. The IPSEC VPN I tried first has shown a little bit unstable 
> under several conditions, especially with Windows clients.
> 
> As OpenVPN is best run in ''bridged'' mode (see 
> http://fedoranews.org/contributors/florin_andrei/openvpn/), I became 
> interested in the bridge capabilities of Shorewall 2.x.
> 
> My first question goes to Thomas: I don''t know anything about the
magic
> you have performed to get bridging and iptables working, but I''m 
> wondering why you aren''t using ebtables (see 
> http://ebtables.sourceforge.net/).
> 
> My second question is directed to the community: Has anybody tried to 
> use OpenVPN in bridged mode on a Shorewall firewall? I''m not sure 
> whether I need Shorewall bridge capabilities at all, because the OpenVPN 
> setup just bridges a real interface to several virtual TUN interfaces.
> 
I run OpenVPN in tun mode. It is a server/client setup so multiple
clients can connect to the server and I don''t have to open a port and
session for each one of them. Also a WINS server will fix what running
in routed mode takes away (browsing network neighborhood). I used
http://www.shorewall.net/OPENVPN.html as a guide. The routed mode is
better in terms of efficiently and can be made a little more secure than
bridged. 
> On the other hand, one would want filtering capabilities on these 
> interfaces as the external VPN clients are less trusted than the 
> internal local clients.
Look at routed mode, it will do everything you need. The OpenVPN mailing
list is really helpful for OpenVPN specific issues. And if you follow
the Shorewall OpenVPN instructions you will get things working quick.
> Any hints greatly appreciated.
> 
> Michael

On Wed, 2004-11-24 at 14:25 +0100, Michael Kunze wrote:
> 
> My first question goes to Thomas: I don''t know anything about the
magic
> you have performed to get bridging and iptables working, but I''m 
> wondering why you aren''t using ebtables (see 
> http://ebtables.sourceforge.net/).
a) Shorewall is based on iptables, not ebtables -- trying to use
ebtables for bridge traffic and iptables for everything else would have
been an order of magnitude more complicated.

b) With the Netfilter bridge patches and the ''physdev'' match
capability
of iptables, I am able to provide the same level of function in a bridge
configuration as I do in a router configuration; the extra functionality
available in ebtables (such as MAC-level NAT) would have been an
overkill.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi Michael,
I think you are confused about two things which have nothing to do with 
each other
except that they both contain the word "bridge".
Building a bridge with shorewall is a nice thing and btw it is easy and 
straight
forward ... ;-)  been there ...
But using OpenVPN in "bridged" mode is a different thing altogether
and
you have
 nothing special to do inside Shorewall to make the tunnel work either in
"bridged"=tap or "routing"=tun mode.
Especially it is not necessary to have Shorewall doing anything like a 
bridge.
This is done by OpenVPN itself, in fact, the difference is only in broadcast
packets being transported over the VPN and non-IP portocols work as well.
But this is transparent to Shorewall, although you *could* filter based 
on mac-
addresses for non-IP protocols *and* on IP (port) basis if you wanted to.

HTH, Philipp


Michael Kunze schrieb:
> Hi all,
>
> I''m trying to use OpenVPN as a VPN solution on a firewall running 
> Shorewall. The IPSEC VPN I tried first has shown a little bit unstable 
> under several conditions, especially with Windows clients.
>
> As OpenVPN is best run in ''bridged'' mode (see 
> http://fedoranews.org/contributors/florin_andrei/openvpn/), I became 
> interested in the bridge capabilities of Shorewall 2.x.
>
> My first question goes to Thomas: I don''t know anything about the 
> magic you have performed to get bridging and iptables working, but
I''m
> wondering why you aren''t using ebtables (see 
> http://ebtables.sourceforge.net/).
>
> My second question is directed to the community: Has anybody tried to 
> use OpenVPN in bridged mode on a Shorewall firewall? I''m not sure 
> whether I need Shorewall bridge capabilities at all, because the 
> OpenVPN setup just bridges a real interface to several virtual TUN 
> interfaces.
>
> On the other hand, one would want filtering capabilities on these 
> interfaces as the external VPN clients are less trusted than the 
> internal local clients.
>
> Any hints greatly appreciated.
>
> Michael
>
>
>
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>