On 5/26/2015 1:01 PM, PGNd wrote: > > On Tue, May 26, 2015, at 12:47 PM, Tom Eastep wrote: >> Then I think that the most straight-forward thing to do is: >> >> a) Make the OpenVPN interface 'optional' with no 'wait=' specified in the >> interfaces file. > Done. > >> b) Start OpenVPN after Shorewall-lite. > Starting it with a script from within SW? or, using the Openvpn systemd > unit's dependencies? > > If the former, where: in SHOREWALL/started? Shorewall isn't a service manager -- the only time I use Shorewall to start a service is if the service developer doesn't supply init scripts. > > If the latter, after which systemd dependency -- shorewall-lite.service, > shorewall-lite.target, shorewall-init.service or shorewall-init.target? You want to start OpenVPN *after* Shorewall-lite has started (however you do that with systemd). > >> c) Use OpenVPN scripting to enable the interface after the tunnel is up >> (shorewall-lite enable tunX) and to disable it when the tunnel goes down >> (shorewall-lite disable tunX). > At the moment, I'm using > > wicked ifup tun1 > wicked ifdown tun1 > > in Openvpn's up/down scripts. > > I'm not clear on any advantage/requirement of either using wicked or > shorewall-lite to toggle the tun1 intfc's up/down state. > > Is there a preference / recommendation between them? > I have no preference since I don't even know what 'wicked' is, and I don't run systemd.
-Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
