-------- Original Message -------- > From: "Mike Lander" <land...@lanlinecomputers.com> > Sent: Thursday, June 11, 2009 10:38 PM > To: shorewall-users@lists.sourceforge.net > Subject: [Shorewall-users] Openvpn Bridge > > Ok started a new thread with appropriate topic > also reconfigged this mail client to be more > friendly to the list.. > I think I have my bridge part good. this is /etc/init.d/bridge start > > #!/bin/bash > > # Define Bridge Interface > br="br0" > > # Define list of TAP interfaces to be bridged > tap="tap0" > > # Define a list of physical ethernet interfaces to be bridged > # with TAP interface(s) above. > # > eth="eth1" > eth_ip="10.194.79.191" > eth_netmask="255.255.255.0" > eth_broadcast="10.194.79.255" > default_gw=10.194.79.191 > > # Path to the system networking script > # For Debian > #NETWORK="/etc/init.d/networking" > # For SuSE > NETWORK="/etc/init.d/network" > > # Path to the openvpn start/stop script > OPENVPN_INIT="/etc/init.d/openvpn" > > # Path to the openvpn binary > OPENVPN="/usr/sbin/openvpn" > > # Path to the brctl binary > BRCTL="/sbin/brctl" > > # Path to the ifconfig binary > IFCONFIG="/sbin/ifconfig" > > # Path to the route binary > ROUTE="/sbin/route" > > do_start(){ > > for i in $tap; do > $OPENVPN --mktun --dev $i > done > > $BRCTL addbr $br > > for i in $eth; do > $BRCTL addif $br $i > done > > for i in $tap; do > $BRCTL addif $br $i > done > > for i in $eth; do > $IFCONFIG $i 0.0.0.0 promisc up > done > > for i in $tap; do > $IFCONFIG $i 0.0.0.0 promisc up > done > > $IFCONFIG $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast > > $ROUTE add default gw $default_gw > > $OPENVPN_INIT start > > } > > do_stop(){ > > $IFCONFIG $br down > $BRCTL delbr $br > > for i in $tap; do > $OPENVPN --rmtun --dev $i > $IFCONFIG $i down > $NETWORK force-reload > done > > $OPENVPN_INIT stop > > } > > case "$1" in > > start) > do_start > ;; > stop) > do_stop > ;; > restart) > do_stop > sleep 1 > do_start > ;; > *) > echo "usage: $0 start|stop|restart" >&2 > exit 3 > ;; > esac > exit 0 > > Thu Jun 11 17:21:22 2009 us=403996 Current Parameter Settings: > Thu Jun 11 17:21:22 2009 us=404125 config = '/etc/openvpn/honda.conf' > Thu Jun 11 17:21:22 2009 us=404149 mode = 1 > Thu Jun 11 17:21:22 2009 us=404170 persist_config = DISABLED > Thu Jun 11 17:21:22 2009 us=404189 persist_mode = 1 > Thu Jun 11 17:21:22 2009 us=404210 show_ciphers = DISABLED > Thu Jun 11 17:21:22 2009 us=404229 show_digests = DISABLED > Thu Jun 11 17:21:22 2009 us=404248 show_engines = DISABLED > Thu Jun 11 17:21:22 2009 us=404268 genkey = DISABLED > Thu Jun 11 17:21:22 2009 us=404288 key_pass_file = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=404308 show_tls_ciphers = DISABLED > Thu Jun 11 17:21:22 2009 us=404329 proto = 0 > Thu Jun 11 17:21:22 2009 us=404348 local = '10.194.79.191' > Thu Jun 11 17:21:22 2009 us=404368 remote_list = NULL > Thu Jun 11 17:21:22 2009 us=404390 remote_random = DISABLED > Thu Jun 11 17:21:22 2009 us=404410 local_port = 1194 > Thu Jun 11 17:21:22 2009 us=404430 remote_port = 1194 > Thu Jun 11 17:21:22 2009 us=404450 remote_float = DISABLED > Thu Jun 11 17:21:22 2009 us=404469 ipchange = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=404489 bind_local = ENABLED > Thu Jun 11 17:21:22 2009 us=404518 dev = 'tap0' > Thu Jun 11 17:21:22 2009 us=404538 dev_type = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=404558 dev_node = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=404578 tun_ipv6 = DISABLED > Thu Jun 11 17:21:22 2009 us=404597 ifconfig_local = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=404620 ifconfig_remote_netmask = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=404640 ifconfig_noexec = DISABLED > Thu Jun 11 17:21:22 2009 us=404659 ifconfig_nowarn = DISABLED > Thu Jun 11 17:21:22 2009 us=404678 shaper = 0 > Thu Jun 11 17:21:22 2009 us=404698 tun_mtu = 1500 > Thu Jun 11 17:21:22 2009 us=404718 tun_mtu_defined = ENABLED > Thu Jun 11 17:21:22 2009 us=404738 link_mtu = 1500 > Thu Jun 11 17:21:22 2009 us=404757 link_mtu_defined = DISABLED > Thu Jun 11 17:21:22 2009 us=404777 tun_mtu_extra = 32 > Thu Jun 11 17:21:22 2009 us=404797 tun_mtu_extra_defined = ENABLED > Thu Jun 11 17:21:22 2009 us=404816 fragment = 0 > Thu Jun 11 17:21:22 2009 us=404836 mtu_discover_type = -1 > Thu Jun 11 17:21:22 2009 us=404856 mtu_test = 0 > Thu Jun 11 17:21:22 2009 us=404875 mlock = DISABLED > Thu Jun 11 17:21:22 2009 us=404934 keepalive_ping = 10 > Thu Jun 11 17:21:22 2009 us=404955 keepalive_timeout = 120 > Thu Jun 11 17:21:22 2009 us=404974 inactivity_timeout = 0 > Thu Jun 11 17:21:22 2009 us=404994 ping_send_timeout = 10 > Thu Jun 11 17:21:22 2009 us=405013 ping_rec_timeout = 240 > Thu Jun 11 17:21:22 2009 us=405033 ping_rec_timeout_action = 2 > Thu Jun 11 17:21:22 2009 us=405053 ping_timer_remote = DISABLED > Thu Jun 11 17:21:22 2009 us=405073 remap_sigusr1 = 0 > Thu Jun 11 17:21:22 2009 us=405093 explicit_exit_notification = 0 > Thu Jun 11 17:21:22 2009 us=405113 persist_tun = ENABLED > Thu Jun 11 17:21:22 2009 us=405132 persist_local_ip = DISABLED > Thu Jun 11 17:21:22 2009 us=405152 persist_remote_ip = DISABLED > Thu Jun 11 17:21:22 2009 us=405172 persist_key = ENABLED > Thu Jun 11 17:21:22 2009 us=405191 mssfix = 1450 > Thu Jun 11 17:21:22 2009 us=405210 passtos = DISABLED > Thu Jun 11 17:21:22 2009 us=405230 resolve_retry_seconds = 1000000000 > Thu Jun 11 17:21:22 2009 us=405250 connect_retry_seconds = 5 > Thu Jun 11 17:21:22 2009 us=405270 username = 'nobody' > Thu Jun 11 17:21:22 2009 us=405290 groupname = 'nogroup' > Thu Jun 11 17:21:22 2009 us=405309 chroot_dir = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=405328 cd_dir = '/etc/openvpn' > Thu Jun 11 17:21:22 2009 us=405348 writepid = '/var/run/openvpn/honda.pid' > Thu Jun 11 17:21:22 2009 us=405368 up_script = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=405387 down_script = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=405407 down_pre = DISABLED > Thu Jun 11 17:21:22 2009 us=405427 up_restart = DISABLED > Thu Jun 11 17:21:22 2009 us=405445 up_delay = DISABLED > Thu Jun 11 17:21:22 2009 us=405465 daemon = ENABLED > Thu Jun 11 17:21:22 2009 us=405485 inetd = 0 > Thu Jun 11 17:21:22 2009 us=405504 log = ENABLED > Thu Jun 11 17:21:22 2009 us=405524 suppress_timestamps = DISABLED > Thu Jun 11 17:21:22 2009 us=405544 nice = 0 > Thu Jun 11 17:21:22 2009 us=405563 verbosity = 5 > Thu Jun 11 17:21:22 2009 us=405583 mute = 0 > Thu Jun 11 17:21:22 2009 us=405602 gremlin = 0 > Thu Jun 11 17:21:22 2009 us=405622 status_file = > '/etc/openvpn/servers/honda/logs/openvpn-status.log' > Thu Jun 11 17:21:22 2009 us=405642 status_file_version = 1 > Thu Jun 11 17:21:22 2009 us=405661 status_file_update_freq = 60 > Thu Jun 11 17:21:22 2009 us=405681 occ = ENABLED > Thu Jun 11 17:21:22 2009 us=405701 rcvbuf = 65536 > Thu Jun 11 17:21:22 2009 us=405720 sndbuf = 65536 > Thu Jun 11 17:21:22 2009 us=405740 socks_proxy_server = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=405761 socks_proxy_port = 0 > Thu Jun 11 17:21:22 2009 us=405780 socks_proxy_retry = DISABLED > Thu Jun 11 17:21:22 2009 us=405799 fast_io = DISABLED > Thu Jun 11 17:21:22 2009 us=405819 comp_lzo = ENABLED > Thu Jun 11 17:21:22 2009 us=405838 comp_lzo_adaptive = ENABLED > Thu Jun 11 17:21:22 2009 us=405858 route_script = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=405878 route_default_gateway = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=405898 route_noexec = DISABLED > Thu Jun 11 17:21:22 2009 us=405917 route_delay = 0 > Thu Jun 11 17:21:22 2009 us=405937 route_delay_window = 30 > Thu Jun 11 17:21:22 2009 us=405957 route_delay_defined = DISABLED > Thu Jun 11 17:21:22 2009 us=405976 management_addr = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=405997 management_port = 0 > Thu Jun 11 17:21:22 2009 us=406016 management_user_pass = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=406036 management_log_history_cache = 250 > Thu Jun 11 17:21:22 2009 us=406056 management_echo_buffer_size = 100 > Thu Jun 11 17:21:22 2009 us=406076 management_query_passwords = DISABLED > Thu Jun 11 17:21:22 2009 us=406096 management_hold = DISABLED > Thu Jun 11 17:21:22 2009 us=406115 shared_secret_file = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=406136 key_direction = 0 > Thu Jun 11 17:21:22 2009 us=406156 ciphername_defined = ENABLED > Thu Jun 11 17:21:22 2009 us=406177 ciphername = 'BF-CBC' > Thu Jun 11 17:21:22 2009 us=406197 authname_defined = ENABLED > Thu Jun 11 17:21:22 2009 us=406217 authname = 'SHA1' > Thu Jun 11 17:21:22 2009 us=406237 keysize = 0 > Thu Jun 11 17:21:22 2009 us=406257 engine = DISABLED > Thu Jun 11 17:21:22 2009 us=406295 replay = ENABLED > Thu Jun 11 17:21:22 2009 us=406316 mute_replay_warnings = DISABLED > Thu Jun 11 17:21:22 2009 us=406337 replay_window = 64 > Thu Jun 11 17:21:22 2009 us=406357 replay_time = 15 > Thu Jun 11 17:21:22 2009 us=406377 packet_id_file = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=406397 use_iv = ENABLED > Thu Jun 11 17:21:22 2009 us=406416 test_crypto = DISABLED > Thu Jun 11 17:21:22 2009 us=406435 tls_server = ENABLED > Thu Jun 11 17:21:22 2009 us=406455 tls_client = DISABLED > Thu Jun 11 17:21:22 2009 us=406475 key_method = 2 > Thu Jun 11 17:21:22 2009 us=406495 ca_file = > '/etc/openvpn/keys/honda/ca.crt' > Thu Jun 11 17:21:22 2009 us=406515 dh_file = > '/etc/openvpn/keys/honda/dh2048.pem' > Thu Jun 11 17:21:22 2009 us=406535 cert_file = > '/etc/openvpn/keys/honda/ca.crt' > Thu Jun 11 17:21:22 2009 us=406555 priv_key_file = > '/etc/openvpn/keys/honda/ca.key' > Thu Jun 11 17:21:22 2009 us=406576 pkcs12_file = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=406595 cipher_list = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=406614 tls_verify = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=406634 tls_remote = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=406653 crl_file = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=406674 ns_cert_type = 0 > Thu Jun 11 17:21:22 2009 us=406694 tls_timeout = 2 > Thu Jun 11 17:21:22 2009 us=406714 renegotiate_bytes = 0 > Thu Jun 11 17:21:22 2009 us=406734 renegotiate_packets = 0 > Thu Jun 11 17:21:22 2009 us=406755 renegotiate_seconds = 3600 > Thu Jun 11 17:21:22 2009 us=406775 handshake_window = 60 > Thu Jun 11 17:21:22 2009 us=406795 transition_window = 3600 > Thu Jun 11 17:21:22 2009 us=406815 single_session = DISABLED > Thu Jun 11 17:21:22 2009 us=406835 tls_exit = DISABLED > Thu Jun 11 17:21:22 2009 us=406855 tls_auth_file = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=406877 server_network = 0.0.0.0 > Thu Jun 11 17:21:22 2009 us=406899 server_netmask = 0.0.0.0 > Thu Jun 11 17:21:22 2009 us=406927 server_bridge_ip = 10.194.79.191 > Thu Jun 11 17:21:22 2009 us=406951 server_bridge_netmask = 255.255.255.0 > Thu Jun 11 17:21:22 2009 us=406974 server_bridge_pool_start = 10.194.79.200 > Thu Jun 11 17:21:22 2009 us=406996 server_bridge_pool_end = 10.194.79.202 > Thu Jun 11 17:21:22 2009 us=407016 push_list = 'route 10.194.79.0 > 255.255.255.0,route-gateway 10.194.79.191,ping 10,ping-restart 120' > Thu Jun 11 17:21:22 2009 us=407037 ifconfig_pool_defined = ENABLED > Thu Jun 11 17:21:22 2009 us=407060 ifconfig_pool_start = 10.194.79.200 > Thu Jun 11 17:21:22 2009 us=407081 ifconfig_pool_end = 10.194.79.202 > Thu Jun 11 17:21:22 2009 us=407103 ifconfig_pool_netmask = 255.255.255.0 > Thu Jun 11 17:21:22 2009 us=407124 ifconfig_pool_persist_filename = > '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=407145 ifconfig_pool_persist_refresh_freq = 600 > Thu Jun 11 17:21:22 2009 us=407165 ifconfig_pool_linear = DISABLED > Thu Jun 11 17:21:22 2009 us=407186 n_bcast_buf = 256 > Thu Jun 11 17:21:22 2009 us=407207 tcp_queue_limit = 64 > Thu Jun 11 17:21:22 2009 us=407226 real_hash_size = 256 > Thu Jun 11 17:21:22 2009 us=407247 virtual_hash_size = 256 > Thu Jun 11 17:21:22 2009 us=407267 client_connect_script = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=407287 learn_address_script = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=407308 client_disconnect_script = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=407328 client_config_dir = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=407349 ccd_exclusive = DISABLED > Thu Jun 11 17:21:22 2009 us=407369 tmp_dir = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=407389 push_ifconfig_defined = DISABLED > Thu Jun 11 17:21:22 2009 us=407411 push_ifconfig_local = 0.0.0.0 > Thu Jun 11 17:21:22 2009 us=407433 push_ifconfig_remote_netmask = 0.0.0.0 > Thu Jun 11 17:21:22 2009 us=407453 enable_c2c = ENABLED > Thu Jun 11 17:21:22 2009 us=407473 duplicate_cn = DISABLED > Thu Jun 11 17:21:22 2009 us=407493 cf_max = 0 > Thu Jun 11 17:21:22 2009 us=407513 cf_per = 0 > Thu Jun 11 17:21:22 2009 us=407534 max_clients = 1024 > Thu Jun 11 17:21:22 2009 us=407554 max_routes_per_client = 256 > Thu Jun 11 17:21:22 2009 us=407591 client_cert_not_required = DISABLED > Thu Jun 11 17:21:22 2009 us=407612 username_as_common_name = DISABLED > Thu Jun 11 17:21:22 2009 us=407633 auth_user_pass_verify_script = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=407654 auth_user_pass_verify_script_via_file = > DISABLED > Thu Jun 11 17:21:22 2009 us=407674 client = DISABLED > Thu Jun 11 17:21:22 2009 us=407694 pull = DISABLED > Thu Jun 11 17:21:22 2009 us=407715 auth_user_pass_file = '[UNDEF]' > Thu Jun 11 17:21:22 2009 us=407736 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] > [EPOLL] built on Dec 3 2008 > Thu Jun 11 17:21:22 2009 us=459576 Diffie-Hellman initialized with 2048 bit > key > Thu Jun 11 17:21:22 2009 us=460423 TLS-Auth MTU parms [ L:1574 D:138 EF:38 > EB:0 ET:0 EL:0 ] > Thu Jun 11 17:21:22 2009 us=460530 TUN/TAP device tap0 opened > Thu Jun 11 17:21:22 2009 us=460562 TUN/TAP TX queue length set to 100 > Thu Jun 11 17:21:22 2009 us=460622 Data Channel MTU parms [ L:1574 D:1450 > EF:42 EB:135 ET:32 EL:0 AF:3/1 ] > Thu Jun 11 17:21:22 2009 us=461498 GID set to nogroup > Thu Jun 11 17:21:22 2009 us=461608 UID set to nobody > Thu Jun 11 17:21:22 2009 us=461673 Socket Buffers: R=[112640->131072] > S=[112640->131072] > Thu Jun 11 17:21:22 2009 us=461729 UDPv4 link local (bound): > 10.194.79.191:1194 > Thu Jun 11 17:21:22 2009 us=461757 UDPv4 link remote: [undef] > Thu Jun 11 17:21:22 2009 us=461809 MULTI: multi_init called, r=256 v=256 > Thu Jun 11 17:21:22 2009 us=461924 IFCONFIG POOL: base=10.194.79.200 size=3 > Thu Jun 11 17:21:22 2009 us=461993 Initialization Sequence Completed > > and my ifconfig > linux-rwu0:~ # ifconfig > br0 Link encap:Ethernet HWaddr 00:16:17:7E:FE:D1 > inet addr:10.194.79.191 Bcast:10.194.79.255 Mask:255.255.255.0 > inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:317 errors:0 dropped:0 overruns:0 frame:0 > TX packets:241 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:43215 (42.2 Kb) TX bytes:133486 (130.3 Kb) > > eth0 Link encap:Ethernet HWaddr 00:14:D1:13:43:11 > inet addr:75.149.172.88 Bcast:75.149.172.95 Mask:255.255.255.240 > inet6 addr: fe80::214:d1ff:fe13:4311/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:1865 errors:0 dropped:0 overruns:0 frame:0 > TX packets:966 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:165265 (161.3 Kb) TX bytes:146769 (143.3 Kb) > Interrupt:20 Base address:0xa000 > > eth1 Link encap:Ethernet HWaddr 00:16:17:7E:FE:D1 > inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 > RX packets:4218 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2006 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:507287 (495.3 Kb) TX bytes:1009394 (985.7 Kb) > Interrupt:23 Base address:0x4000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:43 errors:0 dropped:0 overruns:0 frame:0 > TX packets:43 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:5508 (5.3 Kb) TX bytes:5508 (5.3 Kb) > > tap0 Link encap:Ethernet HWaddr AA:84:53:75:10:7D > inet6 addr: fe80::a884:53ff:fe75:107d/64 Scope:Link > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:622 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:0 (0.0 b) TX bytes:35184 (34.3 Kb) > > not sure how to config shorewall or if I have this bridge right but > now there seems to be several ways to config shorewall here > which shorewall docs should I look at with suse 11.1 and shorewall 4.2.9? > Forgot this sorry :<)
my openvpn config is in /etc/openvpn not in servers or client is that correct? my config below note the lan is temporary have no client up yet server-bridge 10.194.79.191 255.255.255.0 10.194.79.200 10.194.79.202 client-to-client local 10.194.79.191 port 1194 #remote 66.224.100.194 1194 dont need this anymore #except on client I believe verb 5 mute 0 ca /etc/openvpn/keys/honda/ca.crt cert /etc/openvpn/keys/honda/ca.crt key /etc/openvpn/keys/honda/ca.key dh /etc/openvpn/keys/honda/dh2048.pem proto udp dev tap0 user nobody group nogroup keepalive 10 120 status /etc/openvpn/servers/honda/logs/openvpn-status.log log-append /etc/openvpn/servers/honda/logs/openvpn.log comp-lzo persist-key persist-tun push "route 10.194.79.0 255.255.255.0" # #These opt will work on the server install #OFF for now #push "dhcp-option DNS 10.3.85.15" #push "dhcp-option WINS 10.3.85.15" ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users