[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] enforcing a route over VPN



Am 05.01.2014 21:55, schrieb Christian Boltz:
> Hello,
> 
> Am Sonntag, 5. Januar 2014 schrieb Rainer Sokoll:
>> Am 2014-01-05 21:03, schrieb Christian Boltz:
>>> I have a VPN connection to my mail server, and would like to enforce
>>> that mails can be fetched only over the VPN connection.
>>
>> What kind of VPN? IPSEC? PPTP (ouch)? OpenVPN?
>> For the latter, see redirect_gateway.
> 
> openVPN. 
> 
> redirect_gateway is useful to let the client set the default route if 
> needed (easier to handle than doing it on the server if you want it only 
> for some clients).
> 
> However redirect_gateway only helps when the VPN connection is up.
> 
> I'd like to have something that blocks the traffic to 10.7.0.1 when the 
> VPN connection is _down_. 
> Call it a static route for 10.7.0.1 to /dev/null ;-)

You can do exactly that:

susi:~ # ip r
default via 192.168.200.254 dev air  proto static 
127.0.0.0/8 dev lo  scope link 
192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1 
192.168.200.0/24 dev air  proto kernel  scope link  src 192.168.200.11  metric 9 

(that's my default, 200.0 my home lan, 122.0 my virtual machines NATed
to the outside)

susi:~ # ip r add blackhole 10.7.0.1 
susi:~ # ping 10.7.0.1
connect: Network is unreachable
susi:~ # ip r del 10.7.0.1
susi:~ # ping -c 3 10.7.0.1
PING 10.7.0.1 (10.7.0.1) 56(84) bytes of data.

--- 10.7.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms

susi:~ # 

(of course, I don't get any answers from 10.7.0.1 :-))

Getting this into your VPN connect / disconnect script, I guess you are
able to do that :-)
-- 
Stefan Seyfried
"If your lighter runs out of fluid or flint and stops making
 fire, and you can't be bothered to figure out about lighter
 fluid or flint, that is not Zippo's fault." -- bkw
-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx