Re: [Shorewall-users] Sorting out Shorewall, OpenVPN, network & Systemd dependency order

Sat, 28 Oct 2017 17:19:35 -0700 

Hi Tom,

I'm having a tough time getting this all straight.

My systemd OpenVPN.service has

 Wants=network-online.target shorewall-lite.service
 After=syslog.target network-online.target shorewall-lite.service

According to systemd docs

  "Wants=: This directive is similar to Requires=, but less strict. Systemd 
will attempt to start any units listed here when this unit is activated. If 
these units are not found or fail to start, the current unit will continue to 
function. This is the recommended way to configure most dependency 
relationships. Again, this implies a parallel activation unless modified by 
other directives."

So REMOVE the dependency in both Wants/After on 'shorewall-lite'?


My firewall's 'interfaces' has

  vpn VPNIF        
optional,physical=tun1,routefilter=0,logmartians=0,routeback=1

This is clear

        "- Don't make the TUN interface 'optional'."

So that changes

        -       vpn VPNIF  
optional,physical=tun1,routefilter=0,logmartians=0,routeback=1
        +       vpn VPNIF  physical=tun1,routefilter=0,logmartians=0,routeback=1


Not sure what to do with this one,

        "- Don't use any option for the TUN interface in /etc/shorewall
  /interfaces that causes a change in /proc/sys/net/config/."

When I look in there

        cd /proc/sys/net/
        ls
                bridge/  core/  ipv4/  ipv6/  netfilter/  nf_conntrack_max  
unix/

What changes do I look for?

And for this one

        "- Don't name the TUN interface in the SOURCE column of the masq file."

In my masq file I've got this
        #IFC:DEST         SRC           ADDRESS     PROTO    PORT(S)
         ...
         VPNIF:10.1.1.53  10.254.254.1  10.1.10.53  tcp,udp  53

so that 2 DNS servers, one local and one on the remote, can talk to each other 
over the VPN link.  It does what it's supposed to.

That 10.254.254.1 is the remote's end of the VPN tunnel, the IP of its tun1 
interface

        tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
                inet 10.254.254.1  netmask 255.255.255.0  destination 
10.254.254.1

I'm not sure what you mean by "Don't name the TUN interface".  Don't USE that 
10.254.254.1 IP address?  Or don't use a literal name?
What SHOULD I be using in this one?

Dave

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to