ocserv: added info on setting up firewall
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This commit is contained in:
Nikos Mavrogiannopoulos
parent
b87de0a4fa
commit
88e77324ba
2 changed files with 35 additions and 4 deletions
|
|
@ -4,7 +4,7 @@ To setup a server the provides access to LAN with network address
|
||||||
10.100.2.0/255.255.255.0 using the VPN address range
|
10.100.2.0/255.255.255.0 using the VPN address range
|
||||||
10.100.3.0/255.255.255.0 add the following to /etc/config/ocserv:
|
10.100.3.0/255.255.255.0 add the following to /etc/config/ocserv:
|
||||||
|
|
||||||
-----------------------------------------------------------------
|
----/etc/config/ocserv-------------------------------------------
|
||||||
config ocserv 'config'
|
config ocserv 'config'
|
||||||
option port '4443'
|
option port '4443'
|
||||||
option dpd '120'
|
option dpd '120'
|
||||||
|
|
@ -13,7 +13,7 @@ config ocserv 'config'
|
||||||
option netmask '255.255.255.0'
|
option netmask '255.255.255.0'
|
||||||
option ipaddr '10.100.3.0'
|
option ipaddr '10.100.3.0'
|
||||||
option auth 'plain'
|
option auth 'plain'
|
||||||
option zone 'lan'
|
option zone 'vpn'
|
||||||
option default_domain 'lan'
|
option default_domain 'lan'
|
||||||
option enable '1'
|
option enable '1'
|
||||||
|
|
||||||
|
|
@ -38,6 +38,34 @@ The server can be enabled and started using:
|
||||||
# /etc/init.d/ocserv start
|
# /etc/init.d/ocserv start
|
||||||
|
|
||||||
|
|
||||||
|
To simplify firewall configuration, you should setup an unmanaged interface
|
||||||
|
(e.g., called vpn), and will have assigned the 'vpns+' interfaces. Then a zone
|
||||||
|
called vpn should be setup to handle interactions with lan. An example
|
||||||
|
follows:
|
||||||
|
----/etc/config/network------------------------------------------
|
||||||
|
config interface 'vpn'
|
||||||
|
option proto 'none'
|
||||||
|
option ifname 'vpns+'
|
||||||
|
-----------------------------------------------------------------
|
||||||
|
|
||||||
|
----/etc/config/firewall-----------------------------------------
|
||||||
|
config zone
|
||||||
|
option input 'ACCEPT'
|
||||||
|
option forward 'REJECT'
|
||||||
|
option output 'ACCEPT'
|
||||||
|
option name 'vpn'
|
||||||
|
option device 'vpns+'
|
||||||
|
option network 'vpn'
|
||||||
|
|
||||||
|
config forwarding
|
||||||
|
option dest 'lan'
|
||||||
|
option src 'vpn'
|
||||||
|
|
||||||
|
config forwarding
|
||||||
|
option dest 'vpn'
|
||||||
|
option src 'lan'
|
||||||
|
-----------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
There is a luci plugin to allow configuring the server from
|
There is a luci plugin to allow configuring the server from
|
||||||
the web environment; see the package luci-app-ocserv.
|
the web environment; see the package luci-app-ocserv.
|
||||||
|
|
|
||||||
|
|
@ -164,8 +164,11 @@ rekey-method = ssl
|
||||||
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
|
||||||
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
|
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
|
||||||
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
|
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
|
||||||
connect-script = /usr/bin/ocserv-script
|
|
||||||
disconnect-script = /usr/bin/ocserv-script
|
# These scripts are not needed if you have setup an interface for all vpns+
|
||||||
|
# devices.
|
||||||
|
#connect-script = /usr/bin/ocserv-script
|
||||||
|
#disconnect-script = /usr/bin/ocserv-script
|
||||||
|
|
||||||
# UTMP
|
# UTMP
|
||||||
use-utmp = false
|
use-utmp = false
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue