I have been approached with a question that I am not sure about... A Shorewall system has only one interface, with a public IP-adress. The same system is the endpoint for a few OpenVPN-tunnels. Is it possible to add an aliased IP to the interface, and NAT traffic to a OpenVPN-endpoint? The endpoint is on 10.4.2.3 and the Shorewall-box has an interface of 10.4.2.1. ########################################### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.f-secure.com/
Jan Johansson wrote:> I have been approached with a question that I am not sure about... > > A Shorewall system has only one interface, with a public IP-adress. > > The same system is the endpoint for a few OpenVPN-tunnels. > > Is it possible to add an aliased IP to the interface, and NAT traffic to > a OpenVPN-endpoint? > > The endpoint is on 10.4.2.3 and the Shorewall-box has an interface of > 10.4.2.1.You want to send all traffic going to a second IP to a remote host via OpenVPN, correct? A.
> You want to send all traffic going to a second IP to a remote host via > OpenVPN, correct?Yes.
Jan Johansson wrote:>>You want to send all traffic going to a second IP to a remote host via >>OpenVPN, correct? > > > Yes.You should be able to do this with a set of DNAT rules. The only issue I see is one of routing: if your Shorewal box is *not* the default route for the system behind OpenVPN, you will have problems I think. The replies to DNAT''ed packets must come back through Shorewall. A.
> You should be able to do this with a set of DNAT rules. The only issueI> see is one of routing: if your Shorewal box is *not* the default route > for the system behind OpenVPN, you will have problems I think. The > replies to DNAT''ed packets must come back through Shorewall.Oh, good point. I did not think of that actually (Insert Mr Easteps comment about magic spawning salmon here ;) ). But, I suppose I COULD make the tunnel the default GW, since the box will only have to worry about the tunnel, and local subnet. And the local subnet the box should be able to find just fine after all....
Jan Johansson wrote:>>see is one of routing: if your Shorewal box is *not* the default route >>for the system behind OpenVPN, you will have problems I think. The >>replies to DNAT''ed packets must come back through Shorewall. > > Oh, good point. I did not think of that actually (Insert Mr Easteps > comment about magic spawning salmon here ;) ). > > But, I suppose I COULD make the tunnel the default GW, since the box > will only have to worry about the tunnel, and local subnet. And the > local subnet the box should be able to find just fine after all....You can also use routing tables to have split access routing. See http://www.lartc.org. A.