On 5/25/2015 2:58 PM, PGNd wrote: > I have OpenVPN & Shorewall-lite installed on an Opensuse server, running its > 'wicked' networking stack. > > It's an all systemd-controlled init environment. > > I'm interested in ordering the system network stack, openvpn and shorewall > service starts correctly to ensure that there's no unnecessary/insecure open > 'hole' during startup. > > Reading > > OpenVPN Tunnels and Bridges > http://shorewall.net/OPENVPN.html > > I don't get the necessary order, or whether I need to worry about it at all. > > In my current config, I first create the tun device @ system boot, > > cat /etc/sysconfig/network/ifcfg-tun1 > BOOTPROTO='static' > STARTMODE='manual' > TUNNEL='tun' > TUNNEL_SET_GROUP='openvpn' > TUNNEL_SET_OWNER='openvpn' > TUNNEL_SET_PERSISTENT='yes' > IPADDR="" > IPV6INIT='no' > > Then I subsequently bring up/down the openvpn interface when I start/stop the > openvpn service, > > cat /etc/systemd/system/openvpn.service > [Unit] > Description=OpenVPN Server > After=syslog.target network-online.target > Before=openvpn-custom.target > Wants=network-online.target > > [Service] > PrivateTmp=true > > Environment=PATH="/usr/local/openvpn-unpriv:/usr/local/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" > Type=forking > ExecStartPre=/usr/local/etc/openvpn/scripts/up.script > ExecStart=/usr/local/openvpn/sbin/openvpn \ > --daemon \ > --writepid /var/run/openvpn/openvpn.pid \ > --cd /usr/local/etc/openvpn/ \ > --config client.conf > ExecStopPost=/usr/local/etc/openvpn/scripts/down.script > Restart=always > RestartSec=30 > > [Install] > WantedBy=multi-user.target > > cat /usr/local/etc/openvpn/scripts/up.script > #!/bin/sh > VPN_DEV="tun1" > /usr/bin/sudo /usr/sbin/wicked ifup ${VPN_DEV} > > cat /usr/local/etc/openvpn/scripts/down.script > #!/bin/sh > VPN_DEV="tun1" > /usr/bin/sudo /sbin/ip addr flush ${VPN_DEV} 2>/dev/null > 1>/dev/null > /usr/bin/sudo /usr/sbin/wicked ifdown ${VPN_DEV} --no-delete > > That's straightfoward enough. > > What I'm not certain about is the relative startup trigger/order of shorewall > and openvpn. > > As packaged, Shorewall's unit files' dependencies include > > cat /usr/lib/systemd/system/shorewall-init.service > [Unit] > Description=Shorewall IPv4 firewall (bootup security) > Before=network.target > Conflicts=iptables.service ip6tables.service firewalld.service > ... > > cat /usr/lib/systemd/system/shorewall-lite.service > [Unit] > Description=Shorewall IPv4 firewall (lite) > Wants=network-online.target > After=network-online.target > Conflicts=iptables.service firewalld.service > ... > > When, relative to the four available shorewall systemd timing/dependency > points > > shorewall-init.service > shorewall-init.target > shorewall-lite.service > shorewall-lite.target > > should Openvpn be launched? > > With a change to Openvpn's unit, > > Description=OpenVPN Server > - After=syslog.target network-online.target shorewall-lite.target > + After=syslog.target network-online.target > + Requires=shorewall-lite.service > > ? > > Or similar in shorewall's units? > > Or via pre-up/down or post-up/down scripts either in the unit files, or > within the openvpn &/or shorewall application scripts themselves? Is the OpenVPN tunnel also a provider?
-Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users