Hi Chiew, Using OpenVPN was described in several places in Bering and Shorewall documentation. Basically the setup (with static key) would be like this:
1. Add 'tun' device to /etc/modules 2. Get openvpn.lrp and its dependent packages and install them on your Bering router. 3. On Bering, in /etc/openvpn, create one pair of .conf file and key (see OpenVPN help on their site, http://openvpn.sourceforge.net/), each for one tunnel you want, e.g. one for subnet-subnet and one for warrior-subnet. 4. Change the Shorewall config files accordingly. For subnet-subnet, refer to Tom's domentation at http://shorewall.net/OPENVPN.html, except for using static key rather than TLS. For warrior-subnet you can use my sample below. 5. Restart openvpn and shorewall. 6. For warrior on Windows 2K/XP, install OpenVPN and copy the key from Bering, and use the config file, xxx.ovpn, as described below. Then right-click on that file and hit 'Start OpenVPN on this config file' 7. Test the connections and if it does not work, look at the shorewall logging, deamon logging and if you cannot solve it, post to the list for help. I guess that's about it. ----- Original Message ----- From: "chiew yock sang" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, May 10, 2004 5:20 AM Subject: RE: [leaf-user] Re: OpenVPN howto > Can you show me the way to setup OpenVPN ? thanks.. > > > > From: "M Lu" <[EMAIL PROTECTED]> > To: "Tom Eastep" <[EMAIL PROTECTED]>,"Martin Hejl" <[EMAIL PROTECTED]> > CC: <[EMAIL PROTECTED]> > Subject: [leaf-user] Re: OpenVPN howto > Date: Sat, 8 May 2004 18:01:25 -0400 > > Hi Tom and Martin, > > with your suggestions and documentation, I have setup OpenVPN on Bering > router to have one subnet-subnet (using UDP port 5000) and then one > road-warrior (using UDP port 5555 and Windows 2000). > > Thank you very much and I would like to post what I did for the road-warrior > part in case somebody wants a reference in the future. > > My OpenVPN configuration files for Road-Warrior (using preshared-key) look > like that: > > On Bering: > > dev tun > tun-mtu 1532 > > # listen on this IP Address > local 24.11.155.243 > port 5555 > ifconfig 172.16.0.1 172.16.0.2 > secret static.key > persist-tun > ping-restart 60 > ping-timer-rem > persist-tun > persist-key > ping 10 > verb 3 > mute 10 > > On Windows 2000: > > port 5555 > remote 24.11.155.243 > tun-mtu 1500 > tun-mtu-extra 32 > dev tun > ifconfig 172.16.0.2 172.16.0.1 > secret STATIC.KEY > ping 10 > route 192.168.1.0 255.255.255.0 172.16.0.1 > verb 3 > > > Here is what I have in the the Shorewall config for one subnet-subnet and > one road-warrior. > > /etc/shorewall/interfaces > > #ZONE INTERFACE BROADCAST OPTIONS > # > vpn tun0 > vpn2 tun1 > > > /etc/shorewall/tunnels > > # TYPE ZONE GATEWAY GATEWAY > # ZONE > openvpn:5000 net 0.0.0.0/0 vpn > openvpn:5555 net 0.0.0.0/0 vpn2 > > /etc/shorewall/zones: > > #ZONE DISPLAY COMMENTS > vpn VPN > vpn2 VPN2 > > > /etc/shorewall/policy: > > #SOURCE DEST POLICY > loc vpn ACCEPT > vpn loc ACCEPT > # > loc vpn2 ACCEPT > vpn2 loc ACCEPT > # > vpn fw ACCEPT > fw vpn ACCEPT > vpn2 fw ACCEPT > fw vpn2 ACCEPT > > -------- > > And I have to add the following rule explicitly to /etc/shorewall/rules > > ACCEPT net fw udp 5555 > > to allow traffic on UDP port 5555. > > Tom could you help me to understand why I need this rule here eventhough I > have defined it in 'tunnels' file? > > > M Lu. > > > > ----- Original Message ----- > From: "Tom Eastep" <[EMAIL PROTECTED]> > > > > > I'll look forward to receiving your update to the document (note that > > the document itself was contributed by Simon Mater). > > > > -Tom > > > ------------------------------------------------------- > This SF.Net email is sponsored by Sleepycat Software > Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to > deliver higher performing products faster, at low TCO. > http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
