First of all: Thank you for your timely reply! I see the list is quite busy and see your name pop-up in most threads; As well as releasing a new version and other personal concerns, you must keep quite busy!
In answer to your question, in short no. I'll post my (redacted) OpenVPN configuration as a more complete answer: client dev tun0 proto udp remote (redacted: OpenVPN provider) 1194 resolv-retry infinite nobind auth-user-pass (redacted: path to auth file) ca [inline] tls-client tls-auth [inline] ns-cert-type server keepalive 10 30 cipher AES-256-CBC tls-cipher TLSv1:!ADH:!SSLv2:!NULL:!EXPORT:!DES:!LOW:!MEDIUM:@STRENGTH persist-key persist-tun comp-lzo tun-mtu 1500 mssfix passtos verb 3 <ca> -----BEGIN CERTIFICATE----- (redacted) -----END CERTIFICATE----- </ca> <tls-auth> -----BEGIN OpenVPN Static key V1----- (redacted) -----END OpenVPN Static key V1----- </tls-auth> >From the manual for my version (2.1.3) of OpenVPN: (http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html) --nobind Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option. I attempted an experiment, by adding the option: local 192.168.0.38 And commenting out the "nobind" option in my openVPN configuration, but I observed the same behavior of the "start firewall, connect, restart firewall, disconnect, fail reconnect" as detailed previously. As an aside, I have used this exact client configuration on an older Windows implementation and its (admittedly crappy) firewall. The Firewall configuration follows the same basic pattern as I'm attempting here: Allow port 1194 UDP traffic across any interface, allow traffic to use adapter tun0, block all other traffic, etc; Which does work normally. (Also made a minor change to "tunnels" after reviewing "OPENVPN" again: #TYPE ZONE GATEWAY GATEWAY ZONE openvpnclient:1194 net 0.0.0.0/0 Which did not change the behavior detailed above. ) On 1/2/13, Tom Eastep <[email protected]> wrote: > On 01/01/2013 01:15 PM, f q wrote: >> Apologies for the long reply time, I've been quite busy with other >> projects. >> >> I made the changes you requested (see below for specifics). >> >> 1) I am able to start the firewall without connection to OpenVPN >> 2) I am able to connect to OpenVPN without issue with the firewall up >> 3) I can then restart the firewall with OpenVPN up to enforce traffic >> shaping with the 'tun0' adapter >> 4) I can use the OpenVPN normally during this time >> 5) I can disconnect the OpenVPN and normal traffic is blocked from >> traversing my local connection >> 6) I Cannot reconnect to OpenVPN once this is done, though I have >> supplied rules in 'tcrules' to attempt to provide exceptions for >> OpenVPN traffic. >> >> Firewall eth0 ip address: 192.168.0.38, gateway (my home router) >> 192.168.0.1. >> >> I am working from the examples in "MultiISP" >> (http://www.shorewall.net/MultiISP.html#USE_DEFAULT_RT) and "Complex >> Traffic Shaping" >> (http://www.shorewall.net/traffic_shaping.htm#tcrules). >> >> I am not the most experienced with routing, so I will freely confess >> that most of the discussion in these articles, I do not completely >> understand. >> >> But the basic idea appears to be: Shape traffic to go over OpenVPN >> only (mark 2), then provide exceptions for traffic defined in >> 'tcrules' such that said traffic is marked for my standard connection >> (mark 1). Please correct me if I'm wrong. > > Have you configured openvpn to always bind to 192.168.0.38 for its local > address? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
