Re: [Shorewall-users] Traffic Shapping

Tue, 09 Jun 2009 18:08:43 -0700 

> anyone else had to use this?

Not I. I got it working back when I implemented the code and haven't
touched it since.

> I see hardly any posts in shorewall on how to accomplish this? I have
> came up with what I
> think the open vpn configs below.
> 

Just use a conventional host-host VPN config. You then select a pair of
networks you plan to use for the surrogate on each end.

Let's say that you want to use 10.10.10.0/24 on the client end and
10.10.11.0/24 on the server end.

What I would do is use a CCD (client config dir) on the server and in
the client's ccd file, I would:

route 10.10.11.0 255.255.255.0
push route 10.10.10.0 255.255.255.0

As I understand both in the CCD would be as follows:

In the SERVER  file (in client directory though)
-------------------------------

dev tun0
proto udp

local      66.224.100.190  
remote 75.149.172.81

ifconfig 10.10.11.1 10.10.10.2-----------------------------------Note networks 
different, the the last 2 is just     
                                                                                
                     because this looks normall in openvpn

route 10.10.11.0 255.255.255.0                                           
push route 10.10.10.0 255.255.255.0

route host 10.10.10.2    .tun0                          Do I need this or does 
the snat dnat take of of going trough the tunnel?

nobind

persist-key
persist-tun

certificate stuff <snipped for brevity>

status /var/log/openvpn-status.log
log-append /var/log/openvpn.log

comp-lzo
verb 4
------------------------------------
CLIENT

dev tun0
proto udp

local      75.149.172.81
remote  66.224.100.194

ifconfig 10.10.10.2 10.10.11.1-----------------------------------Note networks 
different, the the last 2 is just     
                                                                                
                     because this looks normall in openvpn

route 10.10.10.0 255.255.255.0                                           
push route 10.10.11.0 255.255.255.0                         notice the flip 
flop from theserver file 

route host 10.10.11.1    .tun0                          Do I need this or does 
the snat dnat take of of going trough the tunnel?

nobind

persist-key
persist-tun

certificate stuff <snipped for brevity>

status /var/log/openvpn-status.log
log-append /var/log/openvpn.log

comp-lzo
verb 4

Thank you

Mike 

Note one other question: noticed open vpn config has no concept of either  of 
the lan sides real network ip
Does netmap take care of that with this ?

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to