I have OpenVPN & Shorewall-lite installed on an Opensuse server, running its 'wicked' networking stack.
It's an all systemd-controlled init environment. I'm interested in ordering the system network stack, openvpn and shorewall service starts correctly to ensure that there's no unnecessary/insecure open 'hole' during startup. Reading OpenVPN Tunnels and Bridges http://shorewall.net/OPENVPN.html I don't get the necessary order, or whether I need to worry about it at all. In my current config, I first create the tun device @ system boot, cat /etc/sysconfig/network/ifcfg-tun1 BOOTPROTO='static' STARTMODE='manual' TUNNEL='tun' TUNNEL_SET_GROUP='openvpn' TUNNEL_SET_OWNER='openvpn' TUNNEL_SET_PERSISTENT='yes' IPADDR="" IPV6INIT='no' Then I subsequently bring up/down the openvpn interface when I start/stop the openvpn service, cat /etc/systemd/system/openvpn.service [Unit] Description=OpenVPN Server After=syslog.target network-online.target Before=openvpn-custom.target Wants=network-online.target [Service] PrivateTmp=true Environment=PATH="/usr/local/openvpn-unpriv:/usr/local/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" Type=forking ExecStartPre=/usr/local/etc/openvpn/scripts/up.script ExecStart=/usr/local/openvpn/sbin/openvpn \ --daemon \ --writepid /var/run/openvpn/openvpn.pid \ --cd /usr/local/etc/openvpn/ \ --config client.conf ExecStopPost=/usr/local/etc/openvpn/scripts/down.script Restart=always RestartSec=30 [Install] WantedBy=multi-user.target cat /usr/local/etc/openvpn/scripts/up.script #!/bin/sh VPN_DEV="tun1" /usr/bin/sudo /usr/sbin/wicked ifup ${VPN_DEV} cat /usr/local/etc/openvpn/scripts/down.script #!/bin/sh VPN_DEV="tun1" /usr/bin/sudo /sbin/ip addr flush ${VPN_DEV} 2>/dev/null 1>/dev/null /usr/bin/sudo /usr/sbin/wicked ifdown ${VPN_DEV} --no-delete That's straightfoward enough. What I'm not certain about is the relative startup trigger/order of shorewall and openvpn. As packaged, Shorewall's unit files' dependencies include cat /usr/lib/systemd/system/shorewall-init.service [Unit] Description=Shorewall IPv4 firewall (bootup security) Before=network.target Conflicts=iptables.service ip6tables.service firewalld.service ... cat /usr/lib/systemd/system/shorewall-lite.service [Unit] Description=Shorewall IPv4 firewall (lite) Wants=network-online.target After=network-online.target Conflicts=iptables.service firewalld.service ... When, relative to the four available shorewall systemd timing/dependency points shorewall-init.service shorewall-init.target shorewall-lite.service shorewall-lite.target should Openvpn be launched? With a change to Openvpn's unit, Description=OpenVPN Server - After=syslog.target network-online.target shorewall-lite.target + After=syslog.target network-online.target + Requires=shorewall-lite.service ? Or similar in shorewall's units? Or via pre-up/down or post-up/down scripts either in the unit files, or within the openvpn &/or shorewall application scripts themselves? ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
