Enhancement #2813
OpenVPN: firewall rules for tun/tap devices
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-openvpn | |||
Target version: | v6.5 | |||
Resolution: | NEEDINFO: | No |
Description
Actual implementation changes firewall rules accordingly to Mode
property of openvpn
service.
When Mode
is set to bridged
, all firewall rules are targeted for tap devices and when Mode
is set to routed
, all firewall rules are targeted for tun devices.
This behavior doesn't allow environments with multiple vpn of mixed type.
here a working patch to fix the problem:
diff -u /etc/e-smith/templates/etc/shorewall/interfaces/99openvpn /etc/e-smith/templates-custom/etc/shorewall/interfaces/99openvpn --- /etc/e-smith/templates/etc/shorewall/interfaces/99openvpn 2014-02-05 11:46:52.000000000 +0100 +++ /etc/e-smith/templates-custom/etc/shorewall/interfaces/99openvpn 2014-07-11 08:42:26.752249760 +0200 @@ -1,11 +1,2 @@ -# -# 99openvpn -# -{ - $mode = $openvpn{'Mode'} || 'routed'; - if ($mode eq 'routed') { - $OUT .= "ovpn tun+\n"; - } elsif ($mode eq 'bridged') { - $OUT .= "ovpn tap+\n"; - } -} +ovpn tun+ +ovpn tap+
Associated revisions
Firewall: enable tun and tap devices. Refs #2813
Revert "Firewall: enable tun and tap devices. Refs #2813"
This reverts commit 2e50e7ec7878b1faf64889698eb1c098d2a493ca.
The change had to be applied to /etc/shorewall/interfaces.
/etc/shorewall/interfaces template: enable OpenVPN tun and tap devices. Refs #2813
History
#1 Updated by Giacomo Sanchietti about 7 years ago
- Subject changed from VPN: firewall rules for tun/tap devices to OpenVPN: firewall rules for tun/tap devices
- Status changed from NEW to TRIAGED
- Target version set to v6.5
- % Done changed from 0 to 20
#2 Updated by Giacomo Sanchietti about 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3 Updated by Giacomo Sanchietti about 7 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#4 Updated by Giacomo Sanchietti about 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-openvpn-1.0.2-2.0git2e50e7ec.ns6.noarch.rpm
Please, test the package with latest packages (base, lib and nethgui) from testing repository to ease bridge configuration.
Test case- Configure OpenvPN server in bridged mode (remember to create the bridge)
- Connect to the server with a roadwarrior client
- Configure a net2net VPN in routed mode
- Check both VPNs are working
#5 Updated by Filippo Carletti about 7 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
While the issue is about /etc/shorewall/interfaces, the commit msg is about zones.
Shorewall complains (syntax error).
Work around:
$ cat /etc/e-smith/templates-custom/etc/shorewall/zones/99openvpn ovpn ipv4
#6 Updated by Davide Principi about 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#7 Updated by Davide Principi about 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case
see above
#8 Updated by Davide Principi about 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-openvpn-1.0.2-4.0git076cb6b9.ns6.noarch.rpm
#9 Updated by Filippo Carletti about 7 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
After updating package and signal-event firewall-adjust
# tail /etc/shorewall/zones ... ovpn ipv4
# tail -2 /etc/shorewall/interfaces ovpn tun+ ovpn tap+
#10 Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-openvpn-1.1.0-1.ns6.noarch.rpm