Steve Horsley wrote:
> Ole wrote:
>
>> Hello,
>>
>> i'm setting up a vpn server (OpenVPN) on a firewall/proxy server.
>>
>> Operating Systems are Windows XP on the clients and Suse Linux 9.0 pro
>> (kernel 2.4.21) on the firewal/proxy. Vpn software is OpenVPN 2.0.2.
>>
>> I plan to use the bridged mode in order to simplify the routing setup.
>>
>> The question i have is as follows:
>>
>> When i bridge the tap-device (used by OpenVPN) with the internal NIC of
>> the firewall/gateway server, the ip addresses of the original internal
>> NIC and that of the tap-device vanishes and the br0-device (the bridge)
>> gets the ip address the internal NIC was assigned originally.
>>
>> How does this affect the firewall/proxy in its original functionality?
>> Is it necessary to install another NIC, to have one for the vpn traffic
>> and another for
>> the standard traffic (Website access from inside the network, mail
>> transfer etc.) ?
>>
>> Any field reports are highly appreciated.
>>
>> Thanks in advance
>> sincerely yours
>> Ole
>>
>
> This sounds dangerous to me. I could be wrong, and would welcome advice
> from someone who knows better, but I have the feeling that the bridging
> goes on underneath the level of iptables, so that in effect, you VPN
> clients are bridged directly onto the LAN with no firewall in between.
> And iptables can only control access to/from the server part of the PC.
> Now, it may be possible to set up some filtering for the bridging
> function, but I am not aware of such a capability.
>
> Steve
There are filtering possibilities resembling those of iptables
for the data link layer (bridging), Google for ebtables.
IMHO, for security, filtering at the network layer by iptables
is easier to administer correctly, so if there is no absolute
need to do a data-link layer OpenVPN connection (via tap0), please
use a routed version instead (via tun0).
--
Tauno Voipio
tauno voipio (at) iki fi
|
Similar Threads
Linear Mode
