Menu
▾
▴
openvpn-users
|
From: Chris C. <CCa...@Le...> - 2004-06-21 20:55:42
|
I currently have openVPN 1.6 running on a Linux firewall (leaf.sf.net) which uses Shorewall. I have 7 remote clients, (one Linux the rest Win2k & xp), all of which are working fine. In the Shorewall config I have assigned zone "vpn" to all my tun devices, and then limited what is allowed in/out of that zone through my shorewall rules. What I'm after is more control over the vpn traffic: I want multiple zones with varying access. Zones are assigned to individual interfaces under shorewall. It seems that openVPN processes the config files in alphabetical order, therefore I can control which config is associated with which tun* device by the names of the config files. Is this correct? If so, how will this work in 2.0, where I believe only one port/tun is used? Will I be able to have 2 configs/ports/tun devices; one trusted vpn zone, and one untrusted zone? Thanks, Chris -- Chris Carbaugh Network Administrator CCa...@Le... Leer Electric Inc. www.LeerElectric.com PHONE: (717) 432-9756 FAX: (717) 432-9758 |
|
From: M L. <ml...@ho...> - 2004-06-21 21:45:43
|
Hi Chris, the way I do is I assign them in /etc/shorewall/tunnels like that: generic:udp:5001 net 0.0.0.0/0 vpn1 generic:udp:5002 net 0.0.0.0/0 vpn2 and in /etc/shorewall/zones vpn1 VPN1 vpn2 VPN2 and in /etc/shorewall/interfaces vpn1 tun1 vpn2 tun2 and then will set the rules differently for vpn1 and vpn2 as I like. M Lu. ----- Original Message ----- From: "Chris Carbaugh" <CCa...@Le...> To: "OpenVPN Users List" <ope...@li...> Sent: Monday, June 21, 2004 4:48 PM Subject: [Openvpn-users] openVPN+Shorewall: multiple VPN zones? > I currently have openVPN 1.6 running on a Linux firewall (leaf.sf.net) > which uses Shorewall. I have 7 remote clients, (one Linux the rest > Win2k & xp), all of which are working fine. > > In the Shorewall config I have assigned zone "vpn" to all my tun > devices, and then limited what is allowed in/out of that zone through my > shorewall rules. > > What I'm after is more control over the vpn traffic: I want multiple > zones with varying access. Zones are assigned to individual interfaces > under shorewall. It seems that openVPN processes the config files in > alphabetical order, therefore I can control which config is associated > with which tun* device by the names of the config files. > > Is this correct? > > If so, how will this work in 2.0, where I believe only one port/tun is > used? Will I be able to have 2 configs/ports/tun devices; one trusted > vpn zone, and one untrusted zone? > > > Thanks, > Chris > > -- > Chris Carbaugh > Network Administrator > CCa...@Le... > > Leer Electric Inc. > www.LeerElectric.com > PHONE: (717) 432-9756 > FAX: (717) 432-9758 > > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Openvpn-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-users > |
|
From: John F. <joh...@gm...> - 2004-06-21 22:15:43
|
is there a similiar solution possible with the firewall from 'Linux IP Masquerade HOWTO' TIA John |
|
From: Mathias S. <ma...@ni...> - 2004-06-21 22:48:03
|
On Mon, 21 Jun 2004, John Favorite wrote: > is there a similiar solution possible with the firewall from 'Linux IP > Masquerade HOWTO' Similar solution to what? Please quote what you are refering to. If you mean, "What can you do with iptables?", then the answer is: You can do almost anything. You can setup your firewall rules based on for example in/out interface, src/dst IP address, src/dst mac address, tcp/udp s-port/d-port and so on. So together with openvpn you can either specify a specific interface a perticular user or group of users should use, and do your iptables filtering based on that, or you could assign a specific IP address and filter on that. Was that an answer to your question? -- _____________________________________________________________ Mathias Sundman (^) ASCII Ribbon Campaign NILINGS AB X NO HTML/RTF in e-mail Tel: +46-(0)8-666 32 28 / \ NO Word docs in e-mail |
|
From: John F. <joh...@gm...> - 2004-06-22 03:00:12
|
Yes it definitely answered my question... and created many more. I am
currently using an in-out interface scheme. As well as odd port
forwarding, allowing services through (port 5000 for example)
Everything works great with beta5 as far as authentication and
dhcp... but I am unable to ping from either side of the tunnel.
I assume on the linux side, it is because there is no tap0 interface
assigned like eth0/1 are. I did however allow all connections for tun
and tap connections (as per the man).
On the WinXP side, ifconfig is not seeming to be work. I see the
ifconfig being received but an ipconfig /all shows no gw for tap
interface.
I have tested this internally and externally of my network. Both have
the same ping results:
Linux tells me host/route unreachable
WinXP times out
I am stumped for what to add to iptables as I am relatively new to
linux. I know iptables can do it. I just lack the knowledge to
configure it properly. Eventually I would like to have several clients
connect and have different workgroups/networks available to them
according to authenticated user... which I know can be done via
scripts.. Before I can do any of that I have to be able to ping across
the tunnel! Any help would be greatly appreciated!
P.S. sorry if I hijacked the original thread
|
|
From: John F. <joh...@gm...> - 2004-06-22 04:31:14
|
this is what I see when loading OpenVPN: megatron root # rmdir /dev/net/tun megatron root # mknod /dev/net/tun c 10 200 megatron root # openvpn --config /etc/openvpn/basic-server.conf Mon Jun 21 21:31:18 2004 [0] Current Parameter Settings: Mon Jun 21 21:31:18 2004 [0] config = '/etc/openvpn/basic-server.conf' Mon Jun 21 21:31:18 2004 [0] mode = 1 Mon Jun 21 21:31:18 2004 [0] persist_config = DISABLED Mon Jun 21 21:31:18 2004 [0] persist_mode = 1 Mon Jun 21 21:31:18 2004 [0] show_ciphers = DISABLED Mon Jun 21 21:31:18 2004 [0] show_digests = DISABLED Mon Jun 21 21:31:18 2004 [0] genkey = DISABLED Mon Jun 21 21:31:18 2004 [0] askpass = DISABLED Mon Jun 21 21:31:18 2004 [0] show_tls_ciphers = DISABLED Mon Jun 21 21:31:18 2004 [0] proto = 0 Mon Jun 21 21:31:18 2004 [0] local = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] remote_list = NULL Mon Jun 21 21:31:18 2004 [0] remote_random = DISABLED Mon Jun 21 21:31:18 2004 [0] local_port = 5000 Mon Jun 21 21:31:18 2004 [0] remote_port = 5000 Mon Jun 21 21:31:18 2004 [0] remote_float = DISABLED Mon Jun 21 21:31:18 2004 [0] ipchange = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] bind_local = ENABLED Mon Jun 21 21:31:18 2004 [0] dev = 'tap' Mon Jun 21 21:31:18 2004 [0] dev_type = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] dev_node = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] tun_ipv6 = DISABLED Mon Jun 21 21:31:18 2004 [0] ifconfig_local = '192.168.1.1' Mon Jun 21 21:31:18 2004 [0] ifconfig_remote_netmask = '255.255.255.0' Mon Jun 21 21:31:18 2004 [0] ifconfig_noexec = DISABLED Mon Jun 21 21:31:18 2004 [0] ifconfig_nowarn = DISABLED Mon Jun 21 21:31:18 2004 [0] shaper = 0 Mon Jun 21 21:31:18 2004 [0] tun_mtu = 1500 Mon Jun 21 21:31:18 2004 [0] tun_mtu_defined = ENABLED Mon Jun 21 21:31:18 2004 [0] link_mtu = 1500 Mon Jun 21 21:31:18 2004 [0] link_mtu_defined = DISABLED Mon Jun 21 21:31:18 2004 [0] tun_mtu_extra = 32 Mon Jun 21 21:31:18 2004 [0] tun_mtu_extra_defined = ENABLED Mon Jun 21 21:31:18 2004 [0] fragment = 0 Mon Jun 21 21:31:18 2004 [0] mtu_discover_type = -1 Mon Jun 21 21:31:18 2004 [0] mtu_test = 0 Mon Jun 21 21:31:18 2004 [0] mlock = DISABLED Mon Jun 21 21:31:18 2004 [0] inactivity_timeout = 0 Mon Jun 21 21:31:18 2004 [0] ping_send_timeout = 10 Mon Jun 21 21:31:18 2004 [0] ping_rec_timeout = 120 Mon Jun 21 21:31:18 2004 [0] ping_rec_timeout_action = 2 Mon Jun 21 21:31:18 2004 [0] ping_timer_remote = DISABLED Mon Jun 21 21:31:18 2004 [0] persist_tun = DISABLED Mon Jun 21 21:31:18 2004 [0] persist_local_ip = DISABLED Mon Jun 21 21:31:18 2004 [0] persist_remote_ip = DISABLED Mon Jun 21 21:31:18 2004 [0] persist_key = DISABLED Mon Jun 21 21:31:18 2004 [0] mssfix = 1450 Mon Jun 21 21:31:18 2004 [0] passtos = DISABLED Mon Jun 21 21:31:18 2004 [0] resolve_retry_seconds = 0 Mon Jun 21 21:31:18 2004 [0] connect_retry_seconds = 5 Mon Jun 21 21:31:18 2004 [0] username = 'nobody' Mon Jun 21 21:31:18 2004 [0] groupname = 'nobody' Mon Jun 21 21:31:18 2004 [0] chroot_dir = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] cd_dir = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] writepid = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] up_script = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] down_script = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] up_restart = DISABLED Mon Jun 21 21:31:18 2004 [0] daemon = DISABLED Mon Jun 21 21:31:18 2004 [0] inetd = 0 Mon Jun 21 21:31:18 2004 [0] log = DISABLED Mon Jun 21 21:31:18 2004 [0] nice = 0 Mon Jun 21 21:31:18 2004 [0] verbosity = 4 Mon Jun 21 21:31:18 2004 [0] mute = 0 Mon Jun 21 21:31:18 2004 [0] gremlin = DISABLED Mon Jun 21 21:31:18 2004 [0] status_file = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] status_file_update_freq = 60 Mon Jun 21 21:31:18 2004 [0] occ = ENABLED Mon Jun 21 21:31:18 2004 [0] rcvbuf = 65536 Mon Jun 21 21:31:18 2004 [0] sndbuf = 65536 Mon Jun 21 21:31:18 2004 [0] http_proxy_server = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] http_proxy_port = 0 Mon Jun 21 21:31:18 2004 [0] http_proxy_auth_method = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] http_proxy_auth_file = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] http_proxy_retry = DISABLED Mon Jun 21 21:31:18 2004 [0] socks_proxy_server = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] socks_proxy_port = 0 Mon Jun 21 21:31:18 2004 [0] socks_proxy_retry = DISABLED Mon Jun 21 21:31:18 2004 [0] comp_lzo = DISABLED Mon Jun 21 21:31:18 2004 [0] comp_lzo_adaptive = ENABLED Mon Jun 21 21:31:18 2004 [0] route_script = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] route_default_gateway = '192.168.0.1' Mon Jun 21 21:31:18 2004 [0] route_noexec = DISABLED Mon Jun 21 21:31:18 2004 [0] route_delay = 0 Mon Jun 21 21:31:18 2004 [0] route_delay_defined = DISABLED Mon Jun 21 21:31:18 2004 [0] route 192.168.1.0/255.255.255.0/nil/nil Mon Jun 21 21:31:18 2004 [0] shared_secret_file = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] key_direction = 0 Mon Jun 21 21:31:18 2004 [0] ciphername_defined = ENABLED Mon Jun 21 21:31:18 2004 [0] ciphername = 'BF-CBC' Mon Jun 21 21:31:18 2004 [0] authname_defined = ENABLED Mon Jun 21 21:31:18 2004 [0] authname = 'SHA1' Mon Jun 21 21:31:18 2004 [0] keysize = 0 Mon Jun 21 21:31:18 2004 [0] replay = ENABLED Mon Jun 21 21:31:18 2004 [0] replay_window = 64 Mon Jun 21 21:31:18 2004 [0] replay_time = 15 Mon Jun 21 21:31:18 2004 [0] packet_id_file = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] use_iv = ENABLED Mon Jun 21 21:31:18 2004 [0] test_crypto = DISABLED Mon Jun 21 21:31:18 2004 [0] tls_server = ENABLED Mon Jun 21 21:31:18 2004 [0] tls_client = DISABLED Mon Jun 21 21:31:18 2004 [0] key_method = 2 Mon Jun 21 21:31:18 2004 [0] ca_file = '/etc/ssl/gen/ca.crt' Mon Jun 21 21:31:18 2004 [0] dh_file = '/etc/ssl/gen/dh2048.pem' Mon Jun 21 21:31:18 2004 [0] cert_file = '/etc/ssl/gen/SERVER.crt' Mon Jun 21 21:31:18 2004 [0] priv_key_file = '/etc/ssl/gen/SERVER.key' Mon Jun 21 21:31:18 2004 [0] cipher_list = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] tls_verify = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] tls_remote = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] crl_file = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] tls_timeout = 2 Mon Jun 21 21:31:18 2004 [0] renegotiate_bytes = 0 Mon Jun 21 21:31:18 2004 [0] renegotiate_packets = 0 Mon Jun 21 21:31:18 2004 [0] renegotiate_seconds = 3600 Mon Jun 21 21:31:18 2004 [0] handshake_window = 60 Mon Jun 21 21:31:18 2004 [0] transition_window = 3600 Mon Jun 21 21:31:18 2004 [0] single_session = DISABLED Mon Jun 21 21:31:18 2004 [0] tls_auth_file = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] push_list = 'route 192.168.1.0 255.255.255.0,route-gateway 192.168.1.1,ping 10,ping-restart 60' Mon Jun 21 21:31:18 2004 [0] pull = DISABLED Mon Jun 21 21:31:18 2004 [0] ifconfig_pool_defined = ENABLED Mon Jun 21 21:31:18 2004 [0] ifconfig_pool_start = 192.168.1.4 Mon Jun 21 21:31:18 2004 [0] ifconfig_pool_end = 192.168.1.255 Mon Jun 21 21:31:18 2004 [0] n_bcast_buf = 256 Mon Jun 21 21:31:18 2004 [0] real_hash_size = 256 Mon Jun 21 21:31:18 2004 [0] virtual_hash_size = 256 Mon Jun 21 21:31:18 2004 [0] client_connect_script = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] learn_address_script = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] client_disconnect_script = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] client_config_dir = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] tmp_dir = '[UNDEF]' Mon Jun 21 21:31:18 2004 [0] push_ifconfig_defined = DISABLED Mon Jun 21 21:31:18 2004 [0] push_ifconfig_local = 0.0.0.0 Mon Jun 21 21:31:18 2004 [0] push_ifconfig_remote_netmask = 0.0.0.0 Mon Jun 21 21:31:18 2004 [0] enable_c2c = DISABLED Mon Jun 21 21:31:18 2004 [0] duplicate_cn = DISABLED Mon Jun 21 21:31:18 2004 [0] cf_max = 0 Mon Jun 21 21:31:18 2004 [0] cf_per = 0 Mon Jun 21 21:31:18 2004 [0] OpenVPN 2.0_beta5 i686-pc-linux-gnu [SSL] [LZO] [PTHREAD] built on Jun 16 2004 Mon Jun 21 21:31:18 2004 [0] Diffie-Hellman initialized with 2048 bit key Mon Jun 21 21:31:18 2004 [0] WARNING: file '/etc/ssl/gen/SERVER.key' is group or others accessible Mon Jun 21 21:31:18 2004 [0] TUN/TAP device tap0 opened Mon Jun 21 21:31:18 2004 [0] TUN/TAP TX queue length set to 100 Mon Jun 21 21:31:18 2004 [0] /sbin/ifconfig tap0 192.168.1.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.1.255 Mon Jun 21 21:31:18 2004 [0] /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.0.1 Mon Jun 21 21:31:18 2004 [0] Data Channel MTU parms [ L:1573 D:1450 EF:41 EB:0 ET:32 EL:0 ] Mon Jun 21 21:31:18 2004 [0] GID set to nobody Mon Jun 21 21:31:18 2004 [0] UID set to nobody Mon Jun 21 21:31:18 2004 [0] Socket Buffers: R=[65535->131070] S=[65535->131070] Mon Jun 21 21:31:18 2004 [0] UDPv4 link local (bound): [undef]:5000 Mon Jun 21 21:31:18 2004 [0] UDPv4 link remote: [undef] Mon Jun 21 21:31:18 2004 [0] MULTI: multi_init called, r=256 v=256 Mon Jun 21 21:31:18 2004 [0] IFCONFIG POOL: base=192.168.1.4 size=252 hopefully this will help some one more smarter then me. John |
|
From: Mathias S. <ma...@ni...> - 2004-06-21 21:45:00
|
On Mon, 21 Jun 2004, Chris Carbaugh wrote: > I currently have openVPN 1.6 running on a Linux firewall (leaf.sf.net) > which uses Shorewall. I have 7 remote clients, (one Linux the rest > Win2k & xp), all of which are working fine. > > In the Shorewall config I have assigned zone "vpn" to all my tun > devices, and then limited what is allowed in/out of that zone through my > shorewall rules. > > What I'm after is more control over the vpn traffic: I want multiple > zones with varying access. Zones are assigned to individual interfaces > under shorewall. It seems that openVPN processes the config files in > alphabetical order, therefore I can control which config is associated > with which tun* device by the names of the config files. Use "dev tunX" in each config file to explicitly specify which tun interface to use for each client, then you can assign the tun interfaces you like to the diffrent zones. > If so, how will this work in 2.0, where I believe only one port/tun is > used? Will I be able to have 2 configs/ports/tun devices; one trusted > vpn zone, and one untrusted zone? If you use tun interfaces you can assign a predefined IP address to each client by using diffrent config-files for each client, and then base your firewall rules on the source IP address instead of the interface. If you don't like this you could run one openvpn deamon and a specific tun interface for every group of users that should have the same ruleset. -- _____________________________________________________________ Mathias Sundman (^) ASCII Ribbon Campaign NILINGS AB X NO HTML/RTF in e-mail Tel: +46-(0)8-666 32 28 / \ NO Word docs in e-mail |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X