Hi all,
After searching all available documents on openvpn that exist on site
and all mail-postings regarding the matter described on subject
I feel that I am really confused and don''t now where to start from.
Currently I have an openvpn server in bridge setup mode inside the LOC zone
and the firewall forwards the connections to the servers udp port from
either ISP provider.
My road warriors get all connected and have all access I grant to them
in LOC and DMZ.
However I would like to move the openvpn server on the firewall.
In particular I am clueless on how to set up the zones and interfaces in
the firewall that is connected to 2 ISPs.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I am using a rather old version of shorwall 3.4.8
That comes with the Alpine uClibc distribution. ( kernel 2.6.25 ) but I
wouldn''t consider this a limitation, I can move up to a newest version
as long as a sh version of shorewall is supported.
Also I came across this howto
http://people.mandriva.com/~ybourhis/openvpn/bridgedvpn.html
that I considered somewhat clear
In short the setup that it sugests is this
---------------------------------------------------
Shorewall.conf
BRIDGING=Yes
-------------------------------------
Zones
vpn ipv4
--------------------------------------
Interfaces
#ZONE INTERFACE BROADCAST OPTIONS
- br0
-------------------------------------
hosts
#ZONE HOST(S) OPTIONS
loc br0:eth3
vpn br0:tap0
-----------------------------------------
tunnels
# TYPE ZONE GATEWAY GATEWAY
# ZONE
openvpn net 0.0.0.0/0 vpn
-----------------------------------------------------------
and finally policy
#SOURCE DEST POLICY LOG LEVEL
loc vpn ACCEPT
vpn loc ACCEPT
------------------------------------------------------------------------------
So far so good this seemed clear
In my case though with 2 ISPs
I miss how to fill the providers file the copy field
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
ISP1 1 256 main eth0
xx.xx.xx.xx track,balance=1 eth2, ???????????
ISP2 2 512 main eth1
xx.xx.xx.xx track,balance=1 eth2, ???????????
Thank''s in advance for any help, hint, or clues that you will provide.
Kind regards,
Harry
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you. Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Harry Lachanas wrote:> > In short the setup that it sugests is this > --------------------------------------------------- > Shorewall.conf > > BRIDGING=YesThat won''t work with your 2.6.25 kernel -- this is pointed out in large bold font on the Shorewall home page: http://www.shorewall.net/shorewall_index.htm#Notice1> ------------------------------------- > Zones > vpn ipv4 > -------------------------------------- > Interfaces > #ZONE INTERFACE BROADCAST OPTIONS > - br0I personally would just use a simple bridge (http://www.shorewall.net/SimpleBridge.html) and make your VPN clients part of the ''loc'' zone. #ZONE INTERFACE BROADCAST OPTIONS loc br0 ... And remove whatever entry you currently have for loc.> ------------------------------------- > hosts > #ZONE HOST(S) OPTIONS > loc br0:eth3 > vpn br0:tap0You don''t need anything in the hosts file.> ----------------------------------------- > tunnels > # TYPE ZONE GATEWAY GATEWAY > # ZONE > openvpn net 0.0.0.0/0 vpnI would make that ''openvpnserver'' and get rid of the ''vpn'' at the end (GATEWAY ZONE only applies to IPSEC tunnels).> > ----------------------------------------------------------- > and finally policy > > #SOURCE DEST POLICY LOG LEVEL > loc vpn ACCEPT > vpn loc ACCEPTAnd you don''t need any policies since the VPN clients are already in the loc zone.> > ------------------------------------------------------------------------------ > So far so good this seemed clear > > In my case though with 2 ISPs > > I miss how to fill the providers file the copy fieldReplace your current local interface with ''br0''. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Hi Shorewall Geek !! This really flashed in my mind after reading your post! I couldn''t believe the simplicity of it. Thanks a million ! and I think it''s about time to say .... Merry Christmas to you, to Tom and to all shorewall users. Harry.> > >> In short the setup that it sugests is this >> --------------------------------------------------- >> Shorewall.conf >> >> BRIDGING=Yes >> > > That won''t work with your 2.6.25 kernel -- this is pointed out in large > bold font on the Shorewall home page: > http://www.shorewall.net/shorewall_index.htm#Notice1 > > >> ------------------------------------- >> Zones >> vpn ipv4 >> -------------------------------------- >> Interfaces >> #ZONE INTERFACE BROADCAST OPTIONS >> - br0 >> > > I personally would just use a simple bridge > (http://www.shorewall.net/SimpleBridge.html) and make your VPN clients > part of the ''loc'' zone. > > #ZONE INTERFACE BROADCAST OPTIONS > loc br0 ... > > And remove whatever entry you currently have for loc. > > >> ------------------------------------- >> hosts >> #ZONE HOST(S) OPTIONS >> loc br0:eth3 >> vpn br0:tap0 >> > > You don''t need anything in the hosts file. > > >> ----------------------------------------- >> tunnels >> # TYPE ZONE GATEWAY GATEWAY >> # ZONE >> openvpn net 0.0.0.0/0 vpn >> > > I would make that ''openvpnserver'' and get rid of the ''vpn'' at the end > (GATEWAY ZONE only applies to IPSEC tunnels). > > >> ----------------------------------------------------------- >> and finally policy >> >> #SOURCE DEST POLICY LOG LEVEL >> loc vpn ACCEPT >> vpn loc ACCEPT >> > > And you don''t need any policies since the VPN clients are already in the > loc zone. > > >> ------------------------------------------------------------------------------ >> So far so good this seemed clear >> >> In my case though with 2 ISPs >> >> I miss how to fill the providers file the copy field >> > > Replace your current local interface with ''br0''. > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. > The future of the web can''t happen without you. Join us at MIX09 to help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/