Hi to all
Thanks Tom for your try to help me, it was more than the people at
official Openvpn forum and mailling list did ...
After 2 weeks and a lot of digging, I finaly find what I need !
I am giving you this because it will be a good "adendum" to your
Openvpn doc, I think ...
In the shorewall conf all I need is an additional line to each new
conection in the Openvpn server, changing the working port .
The real deal goes to the /etc/networking/interfaces file, this is a
fuctional example with 3 connections :
# The loopback network interface
auto lo
iface lo inet loopback
# The internet network interface
auto eth1
iface eth1 inet static
address 186.231.3.xxx
netmask 255.255.255.248
broadcast 186.231.3.xxx
gateway 186.231.3.xxx
# The bridged vpn interface for Cenno
auto br0
iface br0 inet static
pre-up /usr/sbin/openvpn --mktun --dev tap0
pre-up /usr/sbin/openvpn --mktun --dev tap1
pre-up /usr/sbin/openvpn --mktun --dev tap2
pre-up /usr/sbin/brctl addbr br0
address 172.16.0.4
network 172.16.0.0
broadcast 172.16.255.255
netmask 255.255.0.0
post-up /sbin/ip link set tap0 up
post-up /sbin/ip link set tap1 up
post-up /sbin/ip link set tap2 up
post-up /usr/sbin/brctl addif br0 tap0 tap1 tap2
post-up /sbin/ip link set eth0 up
post-up /usr/sbin/brctl addif br0 eth0
post-down /usr/sbin/brctl delbr br0
post-down /usr/sbin/openvpn --rmtun tap0
post-down /usr/sbin/openvpn --rmtun tap1
post-down /usr/sbin/openvpn --rmtun tap2
post-down /sbin/ip link set eth0 down
I have to create one TAP virtual interface to each remote connection I need .
And one openvpn bridge instance to each connection too, so I have 2
new conf files in /etc/openvpn folder :
one is like that :
port 1195
mssfix 1400
remote 0.0.0.0
dev tap1
secret /etc/openvpn/cajamar.key
and the other like this :
port 1196
remote 0.0.0.0
dev tap2
secret /etc/openvpn/caieiras.key
Look in the first one, there is a line with a parameter "mssfix 1400"
This is due to package size limitations on the switcher present on the
remote site, it limmits the MTU in the packages send to it .
Just to cover all angles, this is the /etc/shorewall/tunnels file :
openvpn net 0.0.0.0
openvpn loc 0.0.0.0
openvpn:1195 net 187.75.209.xxx
openvpn:1196 net 187.75.204.xxx
Thanks for all your work on the Shorewall project ...
Fábio Rabelo
2013/12/11 Tom Eastep <[email protected]>:
> On 12/11/2013 10:28 AM, Tom Eastep wrote:
>> On 12/10/2013 1:17 PM, Fábio Rabelo wrote:
>>> Thanks a lot ... I just do not know where to go from here ...
>>>
>>> Packages do not pass thru the connection ...
>>>
>>> The first bridge ( called just "bridge" ) I can do anything on any
>>> host in any place, like do a ping from a workstation in one end with
>>> 172.16.0.27 ip to the file server located in the other end of the vpn
>>> with an 172.16.3.232 ip , or open a file in this fileserver ...
>>>
>>> But in this new bridge ( called cajamar ) anything I try to do within
>>> both ends just get a "no route to host" or a "time out" msg .
>>>
>>> All network masks in all and any machine involved are 255.255.0.0
>>>
>>> All IPs of all machines involved has an ip in the range between
>>> 172.16.0.0 and 172.16.20.0 .
>>>
>>> In the future, I wiil need more brigded vpns like this .... so the
>>> masks are so wide ...
>>
>> I just noticed that you have not assigned an IP address to br1!
>
> I also notice that neither vpn0 nor vpn1 have addresses. So listing them
> in your Shorewall configuration does nothing.
>
> And what is eth3? Other than being bridged to vpn1, it seems to have no
> other purpose. Any hosts connected to it cannot communicate with or
> through the Shorewall box.
>
> -Tom
>
>
>
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
