[Shorewall-users] Architecture Help: OpenVPN

Adam Sherman adam at sherman.ca
Thu Feb 3 12:39:00 PST 2005

(Appologies if you receive this twice, GMANE seems to have lost my
original posting.)

I currently have a setup where 20 remote networks are router through
IPsec tunnels and I am using Shorewall's terrific support for the kernel
policy match module. I also have mobile clients using OpenVPN to connect
into our head office network in setup bridged setup. All is good.
(Thanks Tom for your extensive help in getting this to work.)

Now, I need to use OpenVPN to have some edge devices we will be shipping
out connect back into our network and route for their own local
networks. Since I need fine grained control over the rules for each
remote network, having them use the existing, bridged, setup would be
too much trouble, AFAIK.

What is the best approach, then?

- one tap interface for each remote network?
- a single tap interface with a virtual subnet on it, with each remote
network having an IP on this subnet?
- a single tun interface with a virtual subnet, as above?

I'm really not clear on what the pros and cons of each possibility are.
And, of cource, there may be other possibilities I have not considered.
Any advice would be appreciated.

Thank you,


More information about the Shorewall-users mailing list