(Appologies if you receive this twice, GMANE seems to have lost my original posting.) I currently have a setup where 20 remote networks are router through IPsec tunnels and I am using Shorewall''s terrific support for the kernel policy match module. I also have mobile clients using OpenVPN to connect into our head office network in setup bridged setup. All is good. (Thanks Tom for your extensive help in getting this to work.) Now, I need to use OpenVPN to have some edge devices we will be shipping out connect back into our network and route for their own local networks. Since I need fine grained control over the rules for each remote network, having them use the existing, bridged, setup would be too much trouble, AFAIK. What is the best approach, then? - one tap interface for each remote network? - a single tap interface with a virtual subnet on it, with each remote network having an IP on this subnet? - a single tun interface with a virtual subnet, as above? I''m really not clear on what the pros and cons of each possibility are. And, of cource, there may be other possibilities I have not considered. Any advice would be appreciated. Thank you, A.
Adam Sherman wrote:> What is the best approach, then? > > - one tap interface for each remote network? > - a single tap interface with a virtual subnet on it, with each remote > network having an IP on this subnet? > - a single tun interface with a virtual subnet, as above?My main concern is managing the firewall policy for all these links as I believe there will be many of them in the future. Thus, I''m really asking which of the above, or other, architectures will be best suited to shorewall. Thank you, A.
On Thu, 2005-02-03 at 21:11 -0500, Adam Sherman wrote:> Adam Sherman wrote: > > What is the best approach, then? > > > > - one tap interface for each remote network? > > - a single tap interface with a virtual subnet on it, with each remote > > network having an IP on this subnet? > > - a single tun interface with a virtual subnet, as above? > > My main concern is managing the firewall policy for all these links as I > believe there will be many of them in the future. Thus, I''m really > asking which of the above, or other, architectures will be best suited > to shorewall. >I think you''ll have better luck using routing instead of bridging, unless you need IPX or the like (ick!). I think you might be able to get what you want using OpenVPN 2''s client-config capabilities (to add the right route information for each of the remote sites) as well as the learn-address script to handle generating the firewall rules for each site (if you need that to be dynamic). One word of warning, the learn- address stuff runs under dropped privileges if you are using that so you may need to handle that case. -- David Hollis <dhollis@davehollis.com>
David Hollis wrote:>>>What is the best approach, then? >>> >>>- one tap interface for each remote network? >>>- a single tap interface with a virtual subnet on it, with each remote >>>network having an IP on this subnet? >>>- a single tun interface with a virtual subnet, as above? >> >>My main concern is managing the firewall policy for all these links as I >>believe there will be many of them in the future. Thus, I''m really >>asking which of the above, or other, architectures will be best suited >>to shorewall.> I think you''ll have better luck using routing instead of bridging, > unless you need IPX or the like (ick!). I think you might be able to > get what you want using OpenVPN 2''s client-config capabilities (to add > the right route information for each of the remote sites) as well as the > learn-address script to handle generating the firewall rules for each > site (if you need that to be dynamic). One word of warning, the learn- > address stuff runs under dropped privileges if you are using that so you > may need to handle that case.Thanks for the response. I am leaning towards a routed setup, for sure. I don''t believe that I will need dynamic rules, so that removes some complexity. I''m now going to figure out the Shorewall configuration when an zone is behind a local router and then do some sample configs against my setup. Cheers, A.