I'm not using Shore wall, so don't know how the zones are handled, but I
do know, that for a road warrior type setup, they are using a different
virtual Ethernet interfaces. I have 3 tun interfaces, and 1 tap
interface. The tap is where the road warriors come into, since they are
connecting to the port that I've specified for that tap tunnel. If an
end user were to try to connect to any of the other tunnels, it would
fail since the settings are not compatible..
I don't think there is any possibility of the situation you've described
as happening, since the names are not what the connections are decided
by, but the port numbers and the tap or tun configurations.
Stephen Carville wrote:
Right now I have two point-to-point OpenVPN tunnels connecting a central
office wth other sites. I set tehse up based on Tom Easteps instructions at
To keep things simple, each tunnel has a hard coded name -- vpn0 and vpn1 --
and a corresponding shorewall policy entry:
vpn0 loc ACCEPT -
vpn1 loc ACCEPT -
Routes at both remote sites direct addresses in zone loc thru the tunnel
leaving other destination addresses to be handled by the corresponding remote
Soon I will be adding a many-to-one configuration to allow for "road warrior"
connections where the default policy may be more restrictive. Is there
anyway to be certain that vpn1, vpn2, etc names are not used by the
many-to-one config? I am concenred there is a small but non-zero possibility
a road warrior could get vpn0 or vpn1 and have complete access to the
internal network while a remote network would get a zone name associated with
a restricted policy.
Openvpn-users mailing list