[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] enforcing a route over VPN



Hello,

Am Sonntag, 5. Januar 2014 schrieb Stefan Seyfried:
> Am 05.01.2014 21:55, schrieb Christian Boltz:
> > I'd like to have something that blocks the traffic to 10.7.0.1 when
> > the VPN connection is _down_.
> > Call it a static route for 10.7.0.1 to /dev/null ;-)
> 
> You can do exactly that:

> susi:~ # ip r add blackhole 10.7.0.1
> susi:~ # ping 10.7.0.1
> connect: Network is unreachable

I didn't know about blackhole routes before - thanks for the hint!

> Getting this into your VPN connect / disconnect script, I guess you
> are able to do that :-)

I decided to use the easy way - let the subnet size do the work ;-)

The openVPN server pushes a route to the exact IP (/32) when I connect, 
so I just added a blackhole route with /24. The IP-specific route I get 
from the VPN overrides the /24 route, and I get the /24 blackhole back 
"working" automatically when the VPN connection goes down and deletes 
the IP-specific route. (/31 instead of /24 would be enough, but why be 
over-specific? ;-)

The last interesting part was making this permanent and making sure the 
blackhole route is active at bootup already. 
I wasn't able to figure out a working syntax to get blackhole into 
/etc/sysconfig/network/routes, so I finally just added a line to 
/etc/sysconfig/SuSEfirewall2:
    ip route add blackhole 10.7.0.0/24

That's not the 100% correct[tm] way, but it works :-)


Regards,

Christian Boltz

PS @Rainer: Am I too paranoid if I use TLS over VPN? ;-)

PPS: Mail is not the only thing I do over this VPN connection.

-- 
>> Wo finde ich das log von Cyrus bei Opensuse 10.3.
> Hinter der Festplatte links?
Ich habe nachgesehen, dort ist das Log nicht, was nun?
[>> "Info Beilfuss", > Patrick Ben Koetter und Sandy Drobic
 in postfixbuch-users]

-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx