[ previous ] [ next ] [ threads ]
 
 From:  Joe Suhre <jsuhre at nullconcepts dot com>
 To:  marc at telenieko dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] OpenVPN Interfaces: Rules and Routes do not apply
 Date:  Mon, 08 Aug 2005 12:08:06 -0400
Marc,

I actually had what sounds like the same problem. I found that I could issue the following command
from the exec.php once the tunnel is up to fix the issue with the 
firewall rules.

/sbin/ipf -y

Once I figged that out I dove into the code and found that m0n0 runs the above command directly
after it sets up the openvpn tunnels. 
I can only assume it does this to prevent the issue we are seeing. The problem is that the scripts
don't wait for the tunnel to completely come
up before issuing the command. So if your tunnel doesn't build quickly enough the ipf -y executes to
early. Now the solution! I'm attaching a patch I've
been testing with and it seams to have solved the problem. It uses openvpn's --route-up CMD line ARG
to run a script after the tunnel is up. The Script
just executes /sbin/ipf -y to make sure everything is kosher after the tunnel is built. The side
benefit of this is that if the tunnel were to drop (problem with the hub)
and then later re-establish it should re-sync the FW again preventing issues down the road.

One thing I'm not sure of is weather or not this will fix your issue with the routes. What I would
recommend for that is use the openvpn hub server to push out routing
info to the peers which greatly increases the ease of the network administrator to update routing
info (only one place to change). Although this wouldn't be possible 
if your using m0n0 as the hub because this feature is not part of the interface currently.

If you want to use the patch make sure you chmod +x [fs-root]/usr/local/bin/ovpn-routeup.sh before
building your image.

Joe

Marc wrote:

>I've been playing around with the openvpn support on the latest beta
>and I saw that when I reboot the m0n0 box the firewall rules on the
>openvpn interface and the static routes that apply to it are not
>working.
>
>I have to re-apply one rule and one route so thing get working again.
>
>How can that "maybe not welcome behaviour" be solved? Is there any
>exec.php command to apply the firewall rules and static routes by hand
>until that is solved? (Edit, Save, Apply is a big trip to get it
>working!)
>
>Thanks for all, and congratulations for that impressive thing!
>
>Marc.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>
diff -ruN ./etc/inc/openvpn.inc
../../DEVEL_net45xx-1.2b9-domoveride-ovpn_ipfsync/fs/etc/inc/openvpn.inc
--- ./etc/inc/openvpn.inc	Sun Jun 19 05:58:25 2005
+++ ../../DEVEL_net45xx-1.2b9-domoveride-ovpn_ipfsync/fs/etc/inc/openvpn.inc	Fri Jul  8 11:21:11
2005
@@ -374,6 +374,9 @@
 		
 	/* Data channel encryption cipher*/
 	$ovpn_config .= "--cipher {$client[$id]['crypto']} ";
+
+	/* IP-Change Script */
+	$ovpn_config .= "--route-up /usr/local/bin/ovpn-routeup.sh ";
 	
 	//trigger_error("OVPN: $ovpn_config", E_USER_NOTICE);
 	return $ovpn_config;
diff -ruN ./usr/local/bin/ovpn-routeup.sh
../../DEVEL_net45xx-1.2b9-domoveride-ovpn_ipfsync/fs/usr/local/bin/ovpn-routeup.sh
--- ./usr/local/bin/ovpn-routeup.sh	Wed Dec 31 19:00:00 1969
+++ ../../DEVEL_net45xx-1.2b9-domoveride-ovpn_ipfsync/fs/usr/local/bin/ovpn-routeup.sh	Fri Jul  8
11:34:47 2005
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/sbin/ipf -y &>/dev/null