[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [opensuse-security] enforcing a route over VPN
Am Sonntag, 5. Januar 2014 schrieb Stefan Seyfried:
> Am 05.01.2014 21:55, schrieb Christian Boltz:
> > I'd like to have something that blocks the traffic to 10.7.0.1 when
> > the VPN connection is _down_.
> > Call it a static route for 10.7.0.1 to /dev/null ;-)
> You can do exactly that:
> susi:~ # ip r add blackhole 10.7.0.1
> susi:~ # ping 10.7.0.1
> connect: Network is unreachable
I didn't know about blackhole routes before - thanks for the hint!
> Getting this into your VPN connect / disconnect script, I guess you
> are able to do that :-)
I decided to use the easy way - let the subnet size do the work ;-)
The openVPN server pushes a route to the exact IP (/32) when I connect,
so I just added a blackhole route with /24. The IP-specific route I get
from the VPN overrides the /24 route, and I get the /24 blackhole back
"working" automatically when the VPN connection goes down and deletes
the IP-specific route. (/31 instead of /24 would be enough, but why be
The last interesting part was making this permanent and making sure the
blackhole route is active at bootup already.
I wasn't able to figure out a working syntax to get blackhole into
/etc/sysconfig/network/routes, so I finally just added a line to
ip route add blackhole 10.7.0.0/24
That's not the 100% correct[tm] way, but it works :-)
PS @Rainer: Am I too paranoid if I use TLS over VPN? ;-)
PPS: Mail is not the only thing I do over this VPN connection.
>> Wo finde ich das log von Cyrus bei Opensuse 10.3.
> Hinter der Festplatte links?
Ich habe nachgesehen, dort ist das Log nicht, was nun?
[>> "Info Beilfuss", > Patrick Ben Koetter und Sandy Drobic
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx