[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [opensuse-security] enforcing a route over VPN
Am 05.01.2014 21:55, schrieb Christian Boltz:
> Am Sonntag, 5. Januar 2014 schrieb Rainer Sokoll:
>> Am 2014-01-05 21:03, schrieb Christian Boltz:
>>> I have a VPN connection to my mail server, and would like to enforce
>>> that mails can be fetched only over the VPN connection.
>> What kind of VPN? IPSEC? PPTP (ouch)? OpenVPN?
>> For the latter, see redirect_gateway.
> redirect_gateway is useful to let the client set the default route if
> needed (easier to handle than doing it on the server if you want it only
> for some clients).
> However redirect_gateway only helps when the VPN connection is up.
> I'd like to have something that blocks the traffic to 10.7.0.1 when the
> VPN connection is _down_.
> Call it a static route for 10.7.0.1 to /dev/null ;-)
You can do exactly that:
susi:~ # ip r
default via 192.168.200.254 dev air proto static
127.0.0.0/8 dev lo scope link
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
192.168.200.0/24 dev air proto kernel scope link src 192.168.200.11 metric 9
(that's my default, 200.0 my home lan, 122.0 my virtual machines NATed
to the outside)
susi:~ # ip r add blackhole 10.7.0.1
susi:~ # ping 10.7.0.1
connect: Network is unreachable
susi:~ # ip r del 10.7.0.1
susi:~ # ping -c 3 10.7.0.1
PING 10.7.0.1 (10.7.0.1) 56(84) bytes of data.
--- 10.7.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
(of course, I don't get any answers from 10.7.0.1 :-))
Getting this into your VPN connect / disconnect script, I guess you are
able to do that :-)
"If your lighter runs out of fluid or flint and stops making
fire, and you can't be bothered to figure out about lighter
fluid or flint, that is not Zippo's fault." -- bkw
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx