Enhancement #2813

OpenVPN: firewall rules for tun/tap devices

Added by Giacomo Sanchietti about 7 years ago. Updated almost 7 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-openvpn
Target version:v6.5
Resolution: NEEDINFO:No

Description

Actual implementation changes firewall rules accordingly to Mode property of openvpn service.

When Mode is set to bridged, all firewall rules are targeted for tap devices and when Mode is set to routed, all firewall rules are targeted for tun devices.
This behavior doesn't allow environments with multiple vpn of mixed type.

here a working patch to fix the problem:

diff -u /etc/e-smith/templates/etc/shorewall/interfaces/99openvpn  /etc/e-smith/templates-custom/etc/shorewall/interfaces/99openvpn
--- /etc/e-smith/templates/etc/shorewall/interfaces/99openvpn    2014-02-05 11:46:52.000000000 +0100
+++ /etc/e-smith/templates-custom/etc/shorewall/interfaces/99openvpn    2014-07-11 08:42:26.752249760 +0200
@@ -1,11 +1,2 @@
-#
-# 99openvpn
-#
-{
-    $mode = $openvpn{'Mode'} || 'routed';
-    if ($mode eq 'routed') {
-        $OUT .= "ovpn        tun+\n";
-    } elsif ($mode eq 'bridged') {
-        $OUT .= "ovpn tap+\n";
-    }
-}
+ovpn    tun+
+ovpn    tap+

Associated revisions

Revision 2e50e7ec
Added by Giacomo Sanchietti about 7 years ago

Firewall: enable tun and tap devices. Refs #2813

Revision e4255403
Added by Davide Principi about 7 years ago

Revert "Firewall: enable tun and tap devices. Refs #2813"

This reverts commit 2e50e7ec7878b1faf64889698eb1c098d2a493ca.

The change had to be applied to /etc/shorewall/interfaces.

Revision 076cb6b9
Added by Giacomo Sanchietti about 7 years ago

/etc/shorewall/interfaces template: enable OpenVPN tun and tap devices. Refs #2813

History

#1 Updated by Giacomo Sanchietti about 7 years ago

  • Subject changed from VPN: firewall rules for tun/tap devices to OpenVPN: firewall rules for tun/tap devices
  • Status changed from NEW to TRIAGED
  • Target version set to v6.5
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti about 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#3 Updated by Giacomo Sanchietti about 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#4 Updated by Giacomo Sanchietti about 7 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-openvpn-1.0.2-2.0git2e50e7ec.ns6.noarch.rpm

Please, test the package with latest packages (base, lib and nethgui) from testing repository to ease bridge configuration.

Test case
  • Configure OpenvPN server in bridged mode (remember to create the bridge)
  • Connect to the server with a roadwarrior client
  • Configure a net2net VPN in routed mode
  • Check both VPNs are working

#5 Updated by Filippo Carletti about 7 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

While the issue is about /etc/shorewall/interfaces, the commit msg is about zones.
Shorewall complains (syntax error).

Work around:

$ cat /etc/e-smith/templates-custom/etc/shorewall/zones/99openvpn
ovpn ipv4

#6 Updated by Davide Principi about 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#7 Updated by Davide Principi about 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case

see above

#8 Updated by Davide Principi about 7 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-openvpn-1.0.2-4.0git076cb6b9.ns6.noarch.rpm

#9 Updated by Filippo Carletti about 7 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

After updating package and signal-event firewall-adjust

# tail /etc/shorewall/zones 
...
ovpn     ipv4
# tail -2 /etc/shorewall/interfaces 
ovpn    tun+
ovpn    tap+

#10 Updated by Davide Principi almost 7 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-openvpn-1.1.0-1.ns6.noarch.rpm

Also available in: Atom PDF