[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] OpenVPN Bridging setup on SUSE Linux



Jonathon Robison wrote:
Be aware that the default firewall in opensuse interferes with openvpn. I haven't nailed down exactly what line yet, but in mine, even though I had all appropriate routes added and ports open, nobody could browse the samba shares (or get a browse list from the WINS server) until I dropped all rules and established only the necessary openvpn rules.


I've got OpenVPN to run preliminatry in ROUTE mode on my openSUSE 10.3
workstation so far by copying most of the config files used on Win2kTS
to openSUSE /etc/openvpn. Existing client certificates also work. But I
hope someone can throw more "practical light" on the following listed items:

OpenVPN and Firewall:

During initial testing I disabled the SuseFW2 on my workstation. With
YaST2 I've allowed the OpenVPN port 119x for TCP and UDP to the external
zone.
The OpenVPN BRIDGING document
http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html
tells that the following additional entries should be set in the firewall:
iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

How can this be set in SuseFW2, preferably with YaST2?

After the OpenVPN rpm installation there is also a longer samle firewall
config file located as
/usr/share/doc/packages/openvpn/sample-config-files/firewall.sh

Does anybody know if this sample OpenVPN-aware firewall script will work
for SuseFirewall, possibly how it may be customized to work?


Autostart OpenVPN during boot:

After the OpenVPN rpm installation there is available a script
/etc/init.d/openvpn

OpenVPN does not start automatic during boot. I can start openvpn from
/etc/openvpn with
openvpn server.conf

Another installed script document
/usr/share/doc/packages/openvpn/suse/openvpn.init
tells that OpenVPN can started and stoped by the /etc/init.d init script
with
service openvpn start
service openvpn stop

This works. I'm unsure if this openvpn.init file should be copied to
/etc/rc.d/init.d/openvpn as mentioned and possible how to use the YaST
runlevel editor.

There is also a third sample-script after the installation
/usr/share/doc/packages/openvpn/sample-scripts/openvpn.init
I'm unsure if this document has only relevance for Redhat and other
chkconfig-based systems.

Lastly, so far, I'm unsure what the purpose is with and possibly what to
do with the
/usr/share/doc/packages/openvpn/sample-config-files/xinetd-client-config
/usr/share/doc/packages/openvpn/sample-config-files/xinetd-server-config

The server file tells it should be renamed to openvpn or similar and
copied to /etc/xinet.d
xinet.d can then be made aware of this file by restarting it or sending
it a SIGHUP signal.


Thanks,
Terje J Hanssen


---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx