I got it working using openvpn. In the end the only non-documented change I had to make was to enable one router to ping the other over the tun0 interface. If I hadn't been looking for that to succeed before proceeding to add access to the hosts behind the firewalls (which succeeds without additional shorewall changes) it'd have been quicker.
The undocumented change to /etc/shorewall/policy is fw vpn ACCEPT vpn fw ACCEPT I think I'll comment this out now that the rest is working. The best guide to setting up is http://openvpn.net/howto.html which provides step-by-step instructions for generating keys, getting server up and client connecting, and then adding hosts behind the two. Keeping an eye on (tail -f) logfiles really helps to see what's going on. Shorewall has good docs on accomodating openvpn too: http://www.shorewall.net/3.0/OPENVPN.html Dealing with both routers having dynamic addresses isn't too bad. The client must specify the server by name, which it then gets from zoneedit.com. The server's firewall must not be specific about the addresses it will allow connections from: [kehome 12:55:29]~\: grep openvpn /etc/shorewall/tunnels openvpn:udp:1194 net 0.0.0.0/0 (With a bit of research I could at least mask out addresses outside of my ISP's range.) I assume that when the server's IP address changes it will take some time for the openvpn client to find the server again: it'll start trying immediately, but the changed address will take some time to make it into caches. If that turns out to be a problem I'll have to address it. I didn't consider openswan. Openvpn was the first package I looked at and seemed to do what I needed. There's one problem I'd still like to solve. All of the hosts at the two sites are fixed but one, my laptop, which has different addresses depending on which LAN I'm on. Addresses are given in /etc/hosts on the two routers, which file is identical except for the address of my laptop. I imagine the solution involves having a single DNS server for the whole VPN'd network, but I want to stay away from changes that break either LAN when the VPN connection is down. For now I can just comment out a line in /etc/hosts on both LEAF boxen each time I change locations. :-) Thanks! --Eric > Date: Tue, 25 Sep 2007 23:51:53 +0100 > From: David M Brooke <[EMAIL PROTECTED]> > Subject: Re: [leaf-user] OpenVPN config for joining two LEAF-based > networks? > To: leaf <leaf-user@lists.sourceforge.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain > > Hi Eric, > > I did something similar on Bering-uClibc 3.0.1 a while back, albeit > using OpenSwan (ipsec.lrp) rather than OpenVPN. One of my WAN addresses > was effectively static though - I don't know how you'll get on if *both* > addresses are dynamic. Maybe if you use a dynamic DNS service you can > define the configuration with names rather than IP addresses... ? > > I set up the two networks to have different "loc" network addresses at > each site - 192.168.1.0/24 at one location and 192.168.11.0/24 at the > other - and configured OpenSwan to provide a tunnel which routed between > them. Clients at each site could connect transparently to clients at the > other site. It all worked fine, but was a bit slow since I was using > ADSL with 2Mb/s of download bandwidth but only 256Kb/s of upload > bandwidth at each location. > > I've now torn down this installation since it was no longer required, > but I think I've still got copies of my config files somewhere. I forget > why I chose to go down the IPsec (OpenSwan) route rather than the > SSL/TLS (OpenVPN) route - any particular reason why you're looking at > OpenVPN rather than OpenSwan? > > There's some documentation on both options in the Bering-uClibc User's > Guide: http://leaf.sourceforge.net/doc/buc-user.html > > davidMbrooke > > On Tue, 2007-09-25 at 11:29 -0700, [EMAIL PROTECTED] wrote: > > I'm trying to join two home networks, each behind a LEAF > > (Bering-uClibc 3.1-beta1) box, into a single network using OpenVPN. > > Both networks have dynamic IP addresses on their outward (WAN via DSL) > > interfaces. What I'm hoping to do is make it appear that all hosts on > > both are available on both, e.g. so that a network printer in one > > could be used from either network in exactly the same way. > > > > Has anybody done this? Can you point me at documentation covering > > this case (for OpenVPN and Shorewall)? Better, can you share your > > config files? -- ****************************************************************************** * From the desktop of: Eric House, [EMAIL PROTECTED] * * Play one-handed with Crosswords 4.2 for PalmOS: xwords.sourceforge.net * ****************************************************************************** ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
