Re: [Shorewall-users] second VPN in bridge mode

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 12/20/2013 3:48 AM, Fábio Rabelo wrote:
> Hi to all
> 
> Thanks Tom for your try to help me, it was more than the people at
> official Openvpn forum and mailling list did ...
> 
> After 2 weeks and a lot of digging, I finaly find what I need !
> 
> I am giving you this because it will be a good "adendum" to your
> Openvpn doc, I think ...
> 
> In the shorewall conf all I need is an additional line to each new
> conection in the Openvpn server, changing the working port .
> 
> The real deal goes to the /etc/networking/interfaces  file, this is a
> fuctional example with 3 connections :
> 
> 
> # The loopback network interface
> auto lo
> iface lo inet loopback
> 
> # The internet network interface
> auto eth1
> iface eth1 inet static
>     address 186.231.3.xxx
>     netmask 255.255.255.248
>     broadcast 186.231.3.xxx
>     gateway 186.231.3.xxx
> 
> # The bridged vpn interface for Cenno
> auto br0
> iface br0 inet static
>     pre-up /usr/sbin/openvpn --mktun --dev tap0
>     pre-up /usr/sbin/openvpn --mktun --dev tap1
>     pre-up /usr/sbin/openvpn --mktun --dev tap2
>     pre-up /usr/sbin/brctl addbr br0
>     address 172.16.0.4
>     network 172.16.0.0
>     broadcast 172.16.255.255
>     netmask 255.255.0.0
>     post-up /sbin/ip link set tap0 up
>     post-up /sbin/ip link set tap1 up
>     post-up /sbin/ip link set tap2 up
>     post-up /usr/sbin/brctl addif br0 tap0 tap1 tap2
>     post-up /sbin/ip link set eth0 up
>     post-up /usr/sbin/brctl addif br0 eth0
>     post-down /usr/sbin/brctl delbr br0
>     post-down /usr/sbin/openvpn --rmtun tap0
>     post-down /usr/sbin/openvpn --rmtun tap1
>     post-down /usr/sbin/openvpn --rmtun tap2
>     post-down /sbin/ip link set eth0 down
> 
> 
> 
> I have to create one TAP virtual interface to each remote connection I need .
> 
> And one openvpn bridge instance to each connection too, so I have 2
> new  conf files in  /etc/openvpn folder :
> 
> one is like that :
> 
> 
> port 1195
> mssfix 1400
> remote 0.0.0.0
> dev tap1
> secret /etc/openvpn/cajamar.key
> 
> 
> and the other like this :
> 
> 
> port 1196
> remote 0.0.0.0
> dev tap2
> secret /etc/openvpn/caieiras.key
> 
> 
> 
> Look in the first one, there is a line with  a parameter "mssfix 1400"
> 
> This is due to package size limitations on the switcher present on the
> remote site, it limmits the MTU in the packages send to it .
> 
> Just to cover all angles, this is the /etc/shorewall/tunnels file :
> 
> 
> openvpn    net    0.0.0.0
> openvpn    loc    0.0.0.0
> openvpn:1195    net    187.75.209.xxx
> openvpn:1196    net    187.75.204.xxx
> 
> 
> Thanks for all your work on the Shorewall project ...

Thanks Fábio,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________