Hi all, After searching all available documents on openvpn that exist on site and all mail-postings regarding the matter described on subject I feel that I am really confused and don''t now where to start from. Currently I have an openvpn server in bridge setup mode inside the LOC zone and the firewall forwards the connections to the servers udp port from either ISP provider. My road warriors get all connected and have all access I grant to them in LOC and DMZ. However I would like to move the openvpn server on the firewall. In particular I am clueless on how to set up the zones and interfaces in the firewall that is connected to 2 ISPs. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- I am using a rather old version of shorwall 3.4.8 That comes with the Alpine uClibc distribution. ( kernel 2.6.25 ) but I wouldn''t consider this a limitation, I can move up to a newest version as long as a sh version of shorewall is supported. Also I came across this howto http://people.mandriva.com/~ybourhis/openvpn/bridgedvpn.html that I considered somewhat clear In short the setup that it sugests is this --------------------------------------------------- Shorewall.conf BRIDGING=Yes ------------------------------------- Zones vpn ipv4 -------------------------------------- Interfaces #ZONE INTERFACE BROADCAST OPTIONS - br0 ------------------------------------- hosts #ZONE HOST(S) OPTIONS loc br0:eth3 vpn br0:tap0 ----------------------------------------- tunnels # TYPE ZONE GATEWAY GATEWAY # ZONE openvpn net 0.0.0.0/0 vpn ----------------------------------------------------------- and finally policy #SOURCE DEST POLICY LOG LEVEL loc vpn ACCEPT vpn loc ACCEPT ------------------------------------------------------------------------------ So far so good this seemed clear In my case though with 2 ISPs I miss how to fill the providers file the copy field #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 256 main eth0 xx.xx.xx.xx track,balance=1 eth2, ??????????? ISP2 2 512 main eth1 xx.xx.xx.xx track,balance=1 eth2, ??????????? Thank''s in advance for any help, hint, or clues that you will provide. Kind regards, Harry ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Harry Lachanas wrote:> > In short the setup that it sugests is this > --------------------------------------------------- > Shorewall.conf > > BRIDGING=YesThat won''t work with your 2.6.25 kernel -- this is pointed out in large bold font on the Shorewall home page: http://www.shorewall.net/shorewall_index.htm#Notice1> ------------------------------------- > Zones > vpn ipv4 > -------------------------------------- > Interfaces > #ZONE INTERFACE BROADCAST OPTIONS > - br0I personally would just use a simple bridge (http://www.shorewall.net/SimpleBridge.html) and make your VPN clients part of the ''loc'' zone. #ZONE INTERFACE BROADCAST OPTIONS loc br0 ... And remove whatever entry you currently have for loc.> ------------------------------------- > hosts > #ZONE HOST(S) OPTIONS > loc br0:eth3 > vpn br0:tap0You don''t need anything in the hosts file.> ----------------------------------------- > tunnels > # TYPE ZONE GATEWAY GATEWAY > # ZONE > openvpn net 0.0.0.0/0 vpnI would make that ''openvpnserver'' and get rid of the ''vpn'' at the end (GATEWAY ZONE only applies to IPSEC tunnels).> > ----------------------------------------------------------- > and finally policy > > #SOURCE DEST POLICY LOG LEVEL > loc vpn ACCEPT > vpn loc ACCEPTAnd you don''t need any policies since the VPN clients are already in the loc zone.> > ------------------------------------------------------------------------------ > So far so good this seemed clear > > In my case though with 2 ISPs > > I miss how to fill the providers file the copy fieldReplace your current local interface with ''br0''. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Hi Shorewall Geek !! This really flashed in my mind after reading your post! I couldn''t believe the simplicity of it. Thanks a million ! and I think it''s about time to say .... Merry Christmas to you, to Tom and to all shorewall users. Harry.> > >> In short the setup that it sugests is this >> --------------------------------------------------- >> Shorewall.conf >> >> BRIDGING=Yes >> > > That won''t work with your 2.6.25 kernel -- this is pointed out in large > bold font on the Shorewall home page: > http://www.shorewall.net/shorewall_index.htm#Notice1 > > >> ------------------------------------- >> Zones >> vpn ipv4 >> -------------------------------------- >> Interfaces >> #ZONE INTERFACE BROADCAST OPTIONS >> - br0 >> > > I personally would just use a simple bridge > (http://www.shorewall.net/SimpleBridge.html) and make your VPN clients > part of the ''loc'' zone. > > #ZONE INTERFACE BROADCAST OPTIONS > loc br0 ... > > And remove whatever entry you currently have for loc. > > >> ------------------------------------- >> hosts >> #ZONE HOST(S) OPTIONS >> loc br0:eth3 >> vpn br0:tap0 >> > > You don''t need anything in the hosts file. > > >> ----------------------------------------- >> tunnels >> # TYPE ZONE GATEWAY GATEWAY >> # ZONE >> openvpn net 0.0.0.0/0 vpn >> > > I would make that ''openvpnserver'' and get rid of the ''vpn'' at the end > (GATEWAY ZONE only applies to IPSEC tunnels). > > >> ----------------------------------------------------------- >> and finally policy >> >> #SOURCE DEST POLICY LOG LEVEL >> loc vpn ACCEPT >> vpn loc ACCEPT >> > > And you don''t need any policies since the VPN clients are already in the > loc zone. > > >> ------------------------------------------------------------------------------ >> So far so good this seemed clear >> >> In my case though with 2 ISPs >> >> I miss how to fill the providers file the copy field >> > > Replace your current local interface with ''br0''. > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. > The future of the web can''t happen without you. Join us at MIX09 to help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/