From: Tom E. <te...@sh...> - 2013-12-20 21:54:04
|
On 12/20/2013 3:48 AM, Fábio Rabelo wrote: > Hi to all > > Thanks Tom for your try to help me, it was more than the people at > official Openvpn forum and mailling list did ... > > After 2 weeks and a lot of digging, I finaly find what I need ! > > I am giving you this because it will be a good "adendum" to your > Openvpn doc, I think ... > > In the shorewall conf all I need is an additional line to each new > conection in the Openvpn server, changing the working port . > > The real deal goes to the /etc/networking/interfaces file, this is a > fuctional example with 3 connections : > > > # The loopback network interface > auto lo > iface lo inet loopback > > # The internet network interface > auto eth1 > iface eth1 inet static > address 186.231.3.xxx > netmask 255.255.255.248 > broadcast 186.231.3.xxx > gateway 186.231.3.xxx > > # The bridged vpn interface for Cenno > auto br0 > iface br0 inet static > pre-up /usr/sbin/openvpn --mktun --dev tap0 > pre-up /usr/sbin/openvpn --mktun --dev tap1 > pre-up /usr/sbin/openvpn --mktun --dev tap2 > pre-up /usr/sbin/brctl addbr br0 > address 172.16.0.4 > network 172.16.0.0 > broadcast 172.16.255.255 > netmask 255.255.0.0 > post-up /sbin/ip link set tap0 up > post-up /sbin/ip link set tap1 up > post-up /sbin/ip link set tap2 up > post-up /usr/sbin/brctl addif br0 tap0 tap1 tap2 > post-up /sbin/ip link set eth0 up > post-up /usr/sbin/brctl addif br0 eth0 > post-down /usr/sbin/brctl delbr br0 > post-down /usr/sbin/openvpn --rmtun tap0 > post-down /usr/sbin/openvpn --rmtun tap1 > post-down /usr/sbin/openvpn --rmtun tap2 > post-down /sbin/ip link set eth0 down > > > > I have to create one TAP virtual interface to each remote connection I need . > > And one openvpn bridge instance to each connection too, so I have 2 > new conf files in /etc/openvpn folder : > > one is like that : > > > port 1195 > mssfix 1400 > remote 0.0.0.0 > dev tap1 > secret /etc/openvpn/cajamar.key > > > and the other like this : > > > port 1196 > remote 0.0.0.0 > dev tap2 > secret /etc/openvpn/caieiras.key > > > > Look in the first one, there is a line with a parameter "mssfix 1400" > > This is due to package size limitations on the switcher present on the > remote site, it limmits the MTU in the packages send to it . > > Just to cover all angles, this is the /etc/shorewall/tunnels file : > > > openvpn net 0.0.0.0 > openvpn loc 0.0.0.0 > openvpn:1195 net 187.75.209.xxx > openvpn:1196 net 187.75.204.xxx > > > Thanks for all your work on the Shorewall project ... Thanks Fábio, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ |