Menu
▾
▴
Re: [Astlinux-devel] Firewall - WireGuard and OpenVPN
|
From: Michael K. <li...@mk...> - 2018-10-12 08:27:22
|
> Am 12.10.2018 um 06:04 schrieb Michael Knill <mic...@ip...>:
>
> I like the checkbox option. Always better to give an option even if it is rarely changed I say.
>
> Regards
> Michael Knill
+1
That would be more consistent wih our other firewall options. I would vote for NOT enabled by default.
Those few people who would need that, could enabled this by themselves.
> On 12/10/18, 1:41 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>
> Hi Dev minded,
>
>
> A few days back, Michael Knill authored a "[Astlinux-users] Access to VPN endpoint from external" topic.
>
> In the discussion I offered a allow_wireguard_openvpn() function in /mnt/kd/arno-iptables-firewall/custom-rules to allow WireGuard and OpenVPN to forward traffic.
>
> That got me thinking, perhaps we should have a Firewall sub-tab option to make this a standard feature ... then more thinking considering that WireGuard's config limits only AllowedIP's, I can't see any reason why WireGuard and OpenVPN can't safely forward traffic between themselves since WireGuard has allow rules of it's own ... meaning no user option is really necessary.
>
> Proposal, when both Wireguard and OpenVPN Server-or-Client are enabled, then allow the firewall to forward packets between the two VPN types.
>
> Other than testing for both VPN types, the AIF code boils down to simply:
> --
> IF_TRUSTS="$IF_TRUSTS${IF_TRUSTS:+|}wg+ tun+"
> --
>
> This looks safe to be enabled by default, but for documentation purposes we could add a rc.conf variable and make it an option:
>
>
> ___ Allow WireGuard VPN tunnel(s) to OpenVPN tunnel(s)
>
>
> Should we add this as a Firewall feature ? Of so, should be automatically enabled when both WireGuard and OpenVPN Server-or-Client are enabled, or add a rc.conf firewall option with a web interface checkbox ?
>
>
> BTW, until WireGuard is ubiquitous, mixing both WireGuard and OpenVPN on the same box will be common.
>
> Lonnie
Michael
http://www.mksolutions.info
|
