From 88e77324ba9334c7af8c8b2f50ed3566459f2566 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sun, 18 Jan 2015 22:06:48 +0100 Subject: [PATCH] ocserv: added info on setting up firewall Signed-off-by: Nikos Mavrogiannopoulos --- net/ocserv/README | 32 +++++++++++++++++++++++++-- net/ocserv/files/ocserv.conf.template | 7 ++++-- 2 files changed, 35 insertions(+), 4 deletions(-) diff --git a/net/ocserv/README b/net/ocserv/README index 21dbdf117..70429ef3b 100644 --- a/net/ocserv/README +++ b/net/ocserv/README @@ -4,7 +4,7 @@ To setup a server the provides access to LAN with network address 10.100.2.0/255.255.255.0 using the VPN address range 10.100.3.0/255.255.255.0 add the following to /etc/config/ocserv: ------------------------------------------------------------------ +----/etc/config/ocserv------------------------------------------- config ocserv 'config' option port '4443' option dpd '120' @@ -13,7 +13,7 @@ config ocserv 'config' option netmask '255.255.255.0' option ipaddr '10.100.3.0' option auth 'plain' - option zone 'lan' + option zone 'vpn' option default_domain 'lan' option enable '1' @@ -38,6 +38,34 @@ The server can be enabled and started using: # /etc/init.d/ocserv start +To simplify firewall configuration, you should setup an unmanaged interface +(e.g., called vpn), and will have assigned the 'vpns+' interfaces. Then a zone +called vpn should be setup to handle interactions with lan. An example +follows: +----/etc/config/network------------------------------------------ +config interface 'vpn' + option proto 'none' + option ifname 'vpns+' +----------------------------------------------------------------- + +----/etc/config/firewall----------------------------------------- +config zone + option input 'ACCEPT' + option forward 'REJECT' + option output 'ACCEPT' + option name 'vpn' + option device 'vpns+' + option network 'vpn' + +config forwarding + option dest 'lan' + option src 'vpn' + +config forwarding + option dest 'vpn' + option src 'lan' +----------------------------------------------------------------- + There is a luci plugin to allow configuring the server from the web environment; see the package luci-app-ocserv. diff --git a/net/ocserv/files/ocserv.conf.template b/net/ocserv/files/ocserv.conf.template index 5f09481d8..be5656d27 100644 --- a/net/ocserv/files/ocserv.conf.template +++ b/net/ocserv/files/ocserv.conf.template @@ -164,8 +164,11 @@ rekey-method = ssl # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP # in the P-t-P connection), IP_REMOTE (the VPN IP of the client), # ID (a unique numeric ID); REASON may be "connect" or "disconnect". -connect-script = /usr/bin/ocserv-script -disconnect-script = /usr/bin/ocserv-script + +# These scripts are not needed if you have setup an interface for all vpns+ +# devices. +#connect-script = /usr/bin/ocserv-script +#disconnect-script = /usr/bin/ocserv-script # UTMP use-utmp = false