[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] enforcing a route over VPN



Am 05.01.2014 um 21:55 schrieb Christian Boltz <suse-security@xxxxxxxxx>:

> I'd like to have something that blocks the traffic to 10.7.0.1 when the 
> VPN connection is _down_. 
> Call it a static route for 10.7.0.1 to /dev/null ;-)

Ahh, I see.
You can do that:
Somewhere in /etc/init.d/boot.local or wherever you want you could put
„add route -host 10.7.0.1 dev lo“ - and put in your openvpn server’s config something like

route 10.7.0.1 255.255.255.255
client-config-dir /usr/local/openvpn/conf/mailserver

and in
/usr/local/openvpn/conf/mailserver/mailserver

iroute 10.7.0.1 255.255.255.255

This should do the trick. Do not forget to re-route 10.7.0.1 to loopback once the VPN has bee shut down.
BUT:
I always would use TLS secured connections to my mailserver. If there would be a certificate mismatch, your MUA would complain and never submit username/password - whatever IP it is connecting to.
Or use client certificates.

Rainer.

PS: Please do not take this literally. I had some drams of Lagavulin ;-)

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail