I am looking at terminating a OpenVPN tunnel on my shorewall box, but selectivly forward incoming traffic from the VPN tunnel to various hosts on my LOC-zone. Is this doable? Or need I set up OpenVPN tunnels that terminates on the LOC-hosts in question directly? (Or rather: Which page on the web site have I neglected to read _this_ time?) Happy new year to one and all! .
> (Or rather: Which page on the web site have I neglected to read _this_ > time?)Ooohkay. Now I have found which file I have missed. So, I''ll be quiet-ish now. But, (And I know this isn''t really the right list), what I can''t seem to figure out is how to deploy my scenario. I have a home network on a dynamic IP (192.168.0./24) I have a public system which does mail transport for me, since my ISP does not allow anything in/out on 25/tcp, so far I have handled that by having the Shorewall on my home network forward 2525/TCP to my mail server on my LOC-Zone. Now I figured that OpenVPN is prolly a better bet. But, if I deploy OpenVPN, it looks like I would only be able to communicate to hosts _behind_ the gateway? What if I want to talk to the gateway itself, is that doable? Any hints appreciated. .
On Thursday 30 December 2004 12:25 am, Jan Johansson wrote:> I am looking at terminating a OpenVPN tunnel on my shorewall box, but > selectivly forward incoming traffic from the VPN tunnel to various hosts > on my LOC-zone. Is this doable? Or need I set up OpenVPN tunnels that > terminates on the LOC-hosts in question directly?An OpenVPN tunnel is a zone like other zones and, in my experience so far, the same rules apply. You have to have a policy and, if necessary, a set of rules describing the exceptions to that policy. What you describe sounds like DNAT which I have never used on tunnel interface but should be trivial for you to test.> (Or rather: Which page on the web site have I neglected to read _this_ > time?)-- Stephen Carville Systems and Network Administrator 310-342-3602 stephen@totalflood.com
On Thursday 30 December 2004 12:57 am, Jan Johansson wrote:> > (Or rather: Which page on the web site have I neglected to read _this_ > > time?) > > Ooohkay. Now I have found which file I have missed. So, I''ll be > quiet-ish now. > > But, (And I know this isn''t really the right list), what I can''t seem to > figure out is how to deploy my scenario. > > I have a home network on a dynamic IP (192.168.0./24) I have a public > system which does mail transport for me, since my ISP does not allow > anything in/out on 25/tcp, so far I have handled that by having the > Shorewall on my home network forward 2525/TCP to my mail server on my > LOC-Zone. > > Now I figured that OpenVPN is prolly a better bet. But, if I deploy > OpenVPN, it looks like I would only be able to communicate to hosts > _behind_ the gateway? What if I want to talk to the gateway itself, is > that doable?I use OpenVPN to connect three networks. OpenVPN runs on the firewall in each case and I control access with the policy and rules files. For example Policy: loc any ACCEPT - vpn0 loc ACCEPT - all all DROP - vpn0 traffic has unrestricted access to loc Rules: ACCEPT vpn0 FW ssh,http and can access the FW via ssh and http -- Stephen Carville Systems and Network Administrator 310-342-3602 stephen@totalflood.com