Hi all,
I have set up a working OpenVPN2 connection between my Server and my
gateway at home.
Now I want all traffic to be routed through this VPN connection.
Currently everything is going through eth1 to the internet (to the gateway
of the University which forwards it to the internet :-).
We must use a prox-server and because of this I am not abel to watch the
real-Media streams on http://www.heute.de because the ports are blocked.
So now it came to my mind, why not tunnel everything through the VPN with
my server which is located outside the university.
The Tunnel is established over TCP-Port 443.
What do I have to add/change in my shorewall files to tunnel everything
throug the VPNtunnel?
Thanks a lot
Bjoern
My current shorewall config looks like this:
#####Zones#####
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
vpn0 VPN0 OpenVPN TCP 443
dmz DMZ Demilitarized zone
#####Interfaces#####
#ZONE INTERFACE BROADCAST OPTIONS
#
net eth1 172.16.135.255 dhcp,blacklist,tcpflags,maclist
loc eth0 10.0.123.255 dhcp
vpn0 tun0
#####masq#####
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
#
eth1 eth0
#
#route
#
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use
Iface
192.168.254.5 * 255.255.255.255 UH 0 0 0
tun0
192.168.254.1 192.168.254.5 255.255.255.255 UGH 0 0 0
tun0
10.0.123.0 * 255.255.255.0 U 0 0 0
eth0
172.16.128.0 * 255.255.248.0 U 0 0 0
eth1
loopback localhost 255.0.0.0 UG 0 0 0 lo
default gremlin.swh.uni 0.0.0.0 UG 0 0 0
eth1
#
#ifconfig
#
eth0 Protokoll:Ethernet Hardware Adresse 00:0A:5E:1E:85:41
inet Adresse:10.0.123.1 Bcast:10.0.123.255 Maske:255.255.255.0
inet6 Adresse: fe80::20a:5eff:fe1e:8541/64
Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26560945 errors:0 dropped:0 overruns:21 frame:0
TX packets:49188581 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:3049355523 (2908.0 Mb) TX bytes:1648527396 (1572.1 Mb)
Interrupt:10 Basisadresse:0x8400
eth1 Protokoll:Ethernet Hardware Adresse 00:02:3F:73:F5:B9
inet Adresse:172.16.129.106 Bcast:172.16.135.255
Maske:255.255.248.0
inet6 Adresse: fe80::202:3fff:fe73:f5b9/64
Gültigkeitsbereich:Verbindung
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:90305867 errors:0 dropped:0 overruns:0 frame:275673
TX packets:21730687 errors:0 dropped:0 overruns:13 carrier:0
Kollisionen:523010 Sendewarteschlangenlänge:1000
RX bytes:2932437674 (2796.5 Mb) TX bytes:2929637781 (2793.9 Mb)
Interrupt:10
tun0 Protokoll:UNSPEC Hardware Adresse
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet Adresse:192.168.254.6 P-z-P:192.168.254.5
Maske:255.255.255.255
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:336 (336.0 b) TX bytes:336 (336.0 b)
--
Using Opera''s revolutionary e-mail client: http://www.opera.com/mail/
In answer to your question> What do I have to add/change in my shorewall files to tunnel everything > throug the VPNtunnel?nothing. Shorewall isn''t a router ''per se'' but a cleverly crafted bash script (or two) that configures Netfilters iptables. As the subject suggests you should probably try looking on the openvpn list or better yet, a routing how-to. Jeff ----- Original Message ----- From: <spamsuxx@gmail.com> To: <shorewall-users@lists.shorewall.net> Sent: Wednesday, February 02, 2005 10:40 AM Subject: [Shorewall-users] Routing all connections through a OpenVPN tunnel> Hi all, > > I have set up a working OpenVPN2 connection between my Server and my > gateway at home. > Now I want all traffic to be routed through this VPN connection. > > Currently everything is going through eth1 to the internet (to the gateway > of the University which forwards it to the internet :-). > We must use a prox-server and because of this I am not abel to watch the > real-Media streams on http://www.heute.de because the ports are blocked. > > So now it came to my mind, why not tunnel everything through the VPN with > my server which is located outside the university. > The Tunnel is established over TCP-Port 443. > > What do I have to add/change in my shorewall files to tunnel everything > throug the VPNtunnel? > > Thanks a lot > Bjoern > > > My current shorewall config looks like this: > > #####Zones##### > #ZONE DISPLAY COMMENTS > net Net Internet > loc Local Local networks > vpn0 VPN0 OpenVPN TCP 443 > dmz DMZ Demilitarized zone > > #####Interfaces##### > #ZONE INTERFACE BROADCAST OPTIONS > # > net eth1 172.16.135.255 dhcp,blacklist,tcpflags,maclist > loc eth0 10.0.123.255 dhcp > vpn0 tun0 > > #####masq##### > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > # > eth1 eth0 > > # > #route > # > Kernel IP Routentabelle > Ziel Router Genmask Flags Metric Ref Use > Iface > 192.168.254.5 * 255.255.255.255 UH 0 0 0 > tun0 > 192.168.254.1 192.168.254.5 255.255.255.255 UGH 0 0 0 > tun0 > 10.0.123.0 * 255.255.255.0 U 0 0 0 > eth0 > 172.16.128.0 * 255.255.248.0 U 0 0 0 > eth1 > loopback localhost 255.0.0.0 UG 0 0 0 lo > default gremlin.swh.uni 0.0.0.0 UG 0 0 0 > eth1 > > > > # > #ifconfig > # > eth0 Protokoll:Ethernet Hardware Adresse 00:0A:5E:1E:85:41 > inet Adresse:10.0.123.1 Bcast:10.0.123.255Maske:255.255.255.0> inet6 Adresse: fe80::20a:5eff:fe1e:8541/64 > Gültigkeitsbereich:Verbindung > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:26560945 errors:0 dropped:0 overruns:21 frame:0 > TX packets:49188581 errors:0 dropped:0 overruns:0 carrier:0 > Kollisionen:0 Sendewarteschlangenlänge:1000 > RX bytes:3049355523 (2908.0 Mb) TX bytes:1648527396 (1572.1Mb)> Interrupt:10 Basisadresse:0x8400 > > eth1 Protokoll:Ethernet Hardware Adresse 00:02:3F:73:F5:B9 > inet Adresse:172.16.129.106 Bcast:172.16.135.255 > Maske:255.255.248.0 > inet6 Adresse: fe80::202:3fff:fe73:f5b9/64 > Gültigkeitsbereich:Verbindung > UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:90305867 errors:0 dropped:0 overruns:0 frame:275673 > TX packets:21730687 errors:0 dropped:0 overruns:13 carrier:0 > Kollisionen:523010 Sendewarteschlangenlänge:1000 > RX bytes:2932437674 (2796.5 Mb) TX bytes:2929637781 (2793.9Mb)> Interrupt:10 > > tun0 Protokoll:UNSPEC Hardware Adresse > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > inet Adresse:192.168.254.6 P-z-P:192.168.254.5 > Maske:255.255.255.255 > UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > RX packets:4 errors:0 dropped:0 overruns:0 frame:0 > TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 > Kollisionen:0 Sendewarteschlangenlänge:100 > RX bytes:336 (336.0 b) TX bytes:336 (336.0 b) > > -- > Using Opera''s revolutionary e-mail client: http://www.opera.com/mail/ > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Wed, 2005-02-02 at 16:40 +0100, spamsuxx@gmail.com wrote:> What do I have to add/change in my shorewall files to tunnel everything > throug the VPNtunnel?Look into the redirect-gateway server config option for OpenVPN. It may have been introduced in a more recent release candidate (rc8 is most current I believe). -- David Hollis <dhollis@davehollis.com>
spamsuxx@gmail.com
2005-Feb-02 16:28 UTC
Re: Routing all connections through a OpenVPN tunnel
On Wed, 2 Feb 2005 10:51:20 -0500, Jeff <jsoehner@the-techy.com> wrote:> In answer to your question > >> What do I have to add/change in my shorewall files to tunnel everything >> throug the VPNtunnel? > > nothing. > Shorewall isn''t a router ''per se'' but a cleverly crafted bash script (or > two) that configures Netfilters iptables. > As the subject suggests you should probably try looking on the openvpn > list > or better yet, a routing how-to. > > Jeff >Mmmh, I thought it wold somehow be possible to tell shorewall to "route" "masq" or do anything else with the in comming traff on a interface to the VPN connection. But is it possible to forward all traff from "loc" directed to the IP 192.168.254.1 to the "tun0" device? Thx Bjoern -- Using Opera''s revolutionary e-mail client: http://www.opera.com/mail/
David Hollis wrote:> On Wed, 2005-02-02 at 16:40 +0100, spamsuxx@gmail.com wrote: > > >>What do I have to add/change in my shorewall files to tunnel everything >>throug the VPNtunnel? > > > > Look into the redirect-gateway server config option for OpenVPN. It may > have been introduced in a more recent release candidate (rc8 is most > current I believe).is in since openvpn-1.5:-) -- Levente "Si vis pacem para bellum!"
spamsuxx@gmail.com wrote:> > But is it possible to forward all traff from "loc" directed to the IP > 192.168.254.1 to the "tun0" device? >According to the routing table, that is already the case: Kernel IP Routentabelle Ziel Router Genmask Flags Metric Ref Use Iface 192.168.254.5 * 255.255.255.255 UH 0 0 0 tun0 192.168.254.1 192.168.254.5 255.255.255.255 UGH 0 0 0 tun0 10.0.123.0 * 255.255.255.0 U 0 0 0 eth0 172.16.128.0 * 255.255.248.0 U 0 0 0 eth1 loopback localhost 255.0.0.0 UG 0 0 0 lo default gremlin.swh.uni 0.0.0.0 UG 0 0 0 eth1 The second route says that traffic to 192.168.254.1 should be routed via 192.168.254.5 on interface tun0. What is NOT said is that traffic to 192.168.254.0/24 should be routed similarly. But that is a simply openvpn configuration change ("route 192.168.254.0 255.255.255.0" in your Open VPN config file). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Farkas Levente wrote:>> >> Look into the redirect-gateway server config option for OpenVPN. It may >> have been introduced in a more recent release candidate (rc8 is most >> current I believe). > > > is in since openvpn-1.5:-) >And it''s still marked Experimental???? (and still doesn''t work correctly on Windows XP, SP1???). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 2005-02-02 at 10:53 -0800, Tom Eastep wrote:> And it''s still marked Experimental???? (and still doesn''t work correctly > on Windows XP, SP1???). >Interesting, glad I haven''t had to use it just yet. What I have done in some cases is just push a route to the remote site thru the vpn so that things like POP3 work where the local network doesn''t permit it. That way, most traffic goes thru the local network, but the specific things I want/need go through the VPN. If its a lot of networks that need to be passed thru the VPN, it may be a PITA and redirect-gateway may be a better option, but if it''s just a subnet or two, no big deal. -- David Hollis <dhollis@davehollis.com>
David Hollis wrote:> On Wed, 2005-02-02 at 10:53 -0800, Tom Eastep wrote: > > >>And it''s still marked Experimental???? (and still doesn''t work correctly >>on Windows XP, SP1???). >> > > > Interesting, glad I haven''t had to use it just yet.The problem is that when the VPN is disconnected, the default route is not restored. Although not shown at http://shorewall.net/myfiles.htm, I use OpenVPN from my work laptop when I''m roaming around the house with it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key