SHOREWALL-TUNNELS(5)

Configuration Files

SHOREWALL-TUNNELS(5)

NAME¶

tunnels - Shorewall VPN definition file

SYNOPSIS¶

/etc/shorewall[6]/tunnels

DESCRIPTION¶

The tunnels file is used to define rules for encapsulated (usually encrypted) traffic to pass between the Shorewall system and a remote gateway. Traffic flowing through the tunnel is handled using the normal zone/policy/rule mechanism. See https://shorewall.org/VPNBasics.html[1] for details.

The columns in the file are as follows.

TYPE - {ipsec[:{noah|ah}]|ipsecnat|ipip|gre|l2tp|pptpclient|pptpserver|?COMMENT|{openvpn|openvpnclient|openvpnserver}[:{tcp|udp}][:port]|generic:protocol[:port]}

Types are as follows:



        6to4 or 6in4  - 6to4 or 6in4 tunnel. The 6in4 synonym was added in 4.4.24.


        ipsec         - IPv4 IPSEC


        ipsecnat      - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)


        ipip          - IPv4 encapsulated in IPv4 (Protocol 4)


        gre           - Generalized Routing Encapsulation (Protocol 47)


        l2tp          - Layer 2 Tunneling Protocol (UDP port 1701)


        pptpclient    - PPTP Client runs on the firewall


        pptpserver    - PPTP Server runs on the firewall


        openvpn       - OpenVPN in point-to-point mode


        openvpnclient - OpenVPN client runs on the firewall


        openvpnserver - OpenVPN server runs on the firewall


        generic       - Other tunnel type


        tinc          - TINC (added in Shorewall 4.6.6)

If the type is ipsec, it may be followed by :ah to indicate that the Authentication Headers protocol (51) is used by the tunnel (the default is :noah which means that protocol 51 is not used). NAT traversal is only supported with ESP (protocol 50) so ipsecnat tunnels don't allow the ah option (ipsecnat:noah may be specified but is redundant).

If type is openvpn, openvpnclient or openvpnserver it may optionally be followed by ":" and tcp or udp to specify the protocol to be used. If not specified, udp is assumed.

If type is openvpn, openvpnclient or openvpnserver it may optionally be followed by ":" and the port number used by the tunnel. if no ":" and port number are included, then the default port of 1194 will be used. . Where both the protocol and port are specified, the protocol must be given first (e.g., openvpn:tcp:4444).

If type is generic, it must be followed by ":" and a protocol name (from /etc/protocols) or a protocol number. If the protocol is tcp or udp (6 or 17), then it may optionally be followed by ":" and a port number.

Comments may be attached to Netfilter rules generated from entries in this file through the use of /COMMENT lines. These lines begin with ?COMMENT; the remainder of the line is treated as a comment which is attached to subsequent rules until another ?COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line containing only ?COMMENT.

Note
Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and is preferred.

ZONE - zone

The zone of the physical interface through which tunnel traffic passes. This is normally your internet zone.

GATEWAY(S) (gateway or gateways) - address-or-range [ , ... ]

The IP address of the remote tunnel gateway. If the remote gateway has no fixed address (Road Warrior) then specify the gateway as 0.0.0.0/0. May be specified as a network address and if your kernel and iptables include iprange match support then IP address ranges are also allowed.

Beginning with Shorewall 4.5.3, a list of addresses or ranges may be given. Exclusion (shorewall-exclusion[2] (5) ) is not supported.

GATEWAY ZONES (gateway_zone or gateway_zones) - [zone[,zone]...]

Optional. If the gateway system specified in the third column is a standalone host then this column should contain a comma-separated list of the names of the zones that the host might be in. This column only applies to IPSEC tunnels where it enables ISAKMP traffic to flow through the tunnel to the remote gateway(s).

EXAMPLE¶

IPv4 Example 1:

IPSec tunnel.

The remote gateway is 4.33.99.124 and the remote subnet is 192.168.9.0/24. The tunnel does not use the AH protocol



        #TYPE           ZONE    GATEWAY


        ipsec:noah      net     4.33.99.124

IPv4 Example 2:

Road Warrior (LapTop that may connect from anywhere) where the "gw" zone is used to represent the remote LapTop



        #TYPE           ZONE    GATEWAY         GATEWAY ZONES


        ipsec           net     0.0.0.0/0       gw

IPv4 Example 3:

Host 4.33.99.124 is a standalone system connected via an ipsec tunnel to the firewall system. The host is in zone gw.



        #TYPE           ZONE    GATEWAY         GATEWAY ZONES


        ipsec           net     4.33.99.124     gw

IPv4 Example 4:

Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The FreeS/Wan _updown script will add the host to the appropriate zone using the shorewall add command on connect and will remove the host from the zone at disconnect time.



        #TYPE           ZONE    GATEWAY         GATEWAY ZONES


        ipsec           net     0.0.0.0/0       vpn1,vpn2,vpn3

IPv4 Example 5:

You run the Linux PPTP client on your firewall and connect to server 192.0.2.221.



        #TYPE           ZONE    GATEWAY         GATEWAY ZONES


        pptpclient      net     192.0.2.221

IPv4 Example 6:

You run a PPTP server on your firewall.



        #TYPE           ZONE    GATEWAY         GATEWAY ZONES


        pptpserver      net     0.0.0.0/0

Example 7:

OPENVPN tunnel. The remote gateway is 4.33.99.124 and openvpn uses port 7777.



        #TYPE           ZONE    GATEWAY         GATEWAY ZONES


        openvpn:7777    net     4.33.99.124

IPv4 Example 8:

You have a tunnel that is not one of the supported types. Your tunnel uses UDP port 4444. The other end of the tunnel is 4.3.99.124.



        #TYPE            ZONE    GATEWAY         GATEWAY ZONES


        generic:udp:4444 net     4.3.99.124

IPv4 Example 9:

TINC tunnel where the remote gateways are not specified. If you wish to specify a list of gateways, you can do so in the GATEWAY column.



        #TYPE            ZONE    GATEWAY          GATEWAY ZONES


        tinc             net     0.0.0.0/0

IPv6 Example 1:

IPSec tunnel.

The remote gateway is 2001:cec792b4:1::44. The tunnel does not use the AH protocol



        #TYPE           ZONE    GATEWAY


        ipsec:noah      net     2002:cec792b4:1::44

IPv6 Example 2:

Road Warrior (LapTop that may connect from anywhere) where the "gw" zone is used to represent the remote LapTop



        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES


        ipsec           net     ::/0                    gw

IPv6 Example 3:

Host 2001:cec792b4:1::44 is a standalone system connected via an ipsec tunnel to the firewall system. The host is in zone gw.



        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES


        ipsec           net     2001:cec792b4:1::44     gw

IPv6 Example 4:

OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and openvpn uses port 7777.



        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES


        openvpn:7777    net     2001:cec792b4:1::44

IPv6 Example 8:

You have a tunnel that is not one of the supported types. Your tunnel uses UDP port 4444. The other end of the tunnel is 2001:cec792b4:1::44.



        #TYPE            ZONE    GATEWAY                GATEWAY ZONES


        generic:udp:4444 net     2001:cec792b4:1::44

IPv6 Example 9:

TINC tunnel where the remote gateways are not specified. If you wish to specify a list of gateways, you can do so in the GATEWAY column.



        #TYPE            ZONE    GATEWAY          GATEWAY ZONES


        tinc             net     ::/0

FILES¶

/etc/shorewall/tunnels

/etc/shorewall6/tunnels

NOTES¶

1.: https://shorewall.org/VPNBasics.html

https://shorewall.org/VPNBasics.html

2.: shorewall-exclusion

https://shorewall.org/manpages/shorewall-exclusion.html

3.: https://shorewall.org/configuration_file_basics.htm#Pairs

https://shorewall.org/configuration_file_basics.htm#Pairs

09/24/2020