On Mon, May 11, 2020 at 11:53:34AM -0700, Shorewall via Shorewall-users wrote: > So I have a fairly typical 3 interface setup with shorewall. A couple of > local LAN networks and an ISP internet network. The firewall also runs > OpenVPN server so there is also a vpn zone for that tun interface. > > I am considering also having an OpenVPN client connection from the > Firewall/Gateway server to a VPN service provider. > > I would want 99% of all my traffic to route exactly as it does before > setting up this new VPN client connection. > > What I would like to do is choose specific hosts on the local LAN to route > through this VPN tunnel, but all other traffic to route normally through the > direct connected ISP interface. > > Typically when I have created a client VPN connection outside of shorewall, > all traffic typically goes through that tunnel. This is not what I want to > do, as I want to control the traffic that gets routed through VPN. It would > also be acceptable if only traffic for a given destinations went through the > tunnel, if filtering the source connection was not possible. > > I have come across a couple of interweb pages which partially talk about > what I am trying to do and either the text is not exactly what I am trying > to accomplish, or the question was not answered: > > https://bit.ly/2SVSdph > https://bit.ly/35QlDKB > > Is this something that is easily accomplished but just setting up a new zone > and some new rules, or is this much more involved? > > I have looked through the VpnBasics documentation, the tunnels > documentation, and the OpenVpn shorewall documentation, but those scenarios > do not appear to cover what I am trying to accomplish. Can you please let > me know if this can be accomplished with shorewall, and if there already > exists a write up to point me in the right direction?
I was going to say that this is mostly not an openvpn question, and then I realized that you'd written to the shorewall list. :) Routing is more or less separate from VPN (all openvpn does is add a route it if you tell it to). Shorewall does do some routing itself. So you'd want to implement the VPN and then handle routing. Routing by destination is what's typical. I think you'd want to look here; essentially the VPN connection is another ISP. You probably want to use USE_DEFAULT_RT. Also read about tcrules/mangle/providers https://shorewall.org/MultiISP.html https://shorewall.org/traffic_shaping.htm -- Justin _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
