tunnels — Shorewall6 VPN definition file




The tunnels file is used to define rules for encapsulated (usually encrypted) traffic to pass between the Shorewall6 system and a remote gateway. Traffic flowing through the tunnel is handled using the normal zone/policy/rule mechanism. See for details.

The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).

TYPE - {ipsec[:{noah|ah}]|ipsecnat|gre|l2tp|pptpclient|pptpserver|?COMMENT|{openvpn|openvpnclient|openvpnserver}[:{tcp|udp}][:port]|generic:protocol[:port]}

Types are as follows:

        ipsec         - IPv6 IPSEC
        ipsecnat      - IPv6 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
        gre           - Generalized Routing Encapsulation (Protocol 47)
        l2tp          - Layer 2 Tunneling Protocol (UDP port 1701)
        openvpn       - OpenVPN in point-to-point mode
        openvpnclient - OpenVPN client runs on the firewall
        openvpnserver - OpenVPN server runs on the firewall
        generic       - Other tunnel type
        tinc          - TINC (added in Shorewall 4.6.6)

If the type is ipsec, it may be followed by :ah to indicate that the Authentication Headers protocol (51) is used by the tunnel (the default is :noah which means that protocol 51 is not used). NAT traversal is only supported with ESP (protocol 50) so ipsecnat tunnels don't allow the ah option (ipsecnat:noah may be specified but is redundant).

If type is openvpn, openvpnclient or openvpnserver it may optionally be followed by ":" and tcp or udp to specify the protocol to be used. If not specified, udp is assumed. Note: At this writing, OpenVPN does not support IPv6.

If type is openvpn, openvpnclient or openvpnserver it may optionally be followed by ":" and the port number used by the tunnel. if no ":" and port number are included, then the default port of 1194 will be used. . Where both the protocol and port are specified, the protocol must be given first (e.g., openvpn:tcp:4444).

If type is generic, it must be followed by ":" and a protocol name (from /etc/protocols) or a protocol number. If the protocol is tcp or udp (6 or 17), then it may optionally be followed by ":" and a port number.

Comments may be attached to Netfilter rules generated from entries in this file through the use of ?COMMENT lines. These lines begin with the word ?COMMENT; the remainder of the line is treated as a comment which is attached to subsequent rules until another ?COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word ?COMMENT.

ZONE - zone

The zone of the physical interface through which tunnel traffic passes. This is normally your internet zone.

GATEWAY(S) (gateway or gateways) - address-or-range [ , ... ]

The IP address of the remote tunnel gateway. If the remote gateway has no fixed address (Road Warrior) then specify the gateway as ::/0. May be specified as a network address and if your kernel and ip6tables include iprange match support then IP address ranges are also allowed.

Beginning with Shorewall 4.5.3, a list of addresses or ranges may be given. Exclusion (shorewall6-exclusion (5) ) is not supported.

GATEWAY ZONE(S) (gateway_zone or gateway_zones) - [zone[,zone]...]

Optional. If the gateway system specified in the third column is a standalone host then this column should contain a comma-separated list of the names of the zones that the host might be in. This column only applies to IPSEC tunnels where it enables ISAKMP traffic to flow through the tunnel to the remote gateway(s).


Example 1:

IPSec tunnel.

The remote gateway is 2001:cec792b4:1::44. The tunnel does not use the AH protocol

        #TYPE           ZONE    GATEWAY
        ipsec:noah      net     2002:cec792b4:1::44
Example 2:

Road Warrior (LapTop that may connect from anywhere) where the "gw" zone is used to represent the remote LapTop

        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
        ipsec           net     ::/0                    gw
Example 3:

Host 2001:cec792b4:1::44 is a standalone system connected via an ipsec tunnel to the firewall system. The host is in zone gw.

        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
        ipsec           net     2001:cec792b4:1::44     gw
Example 4:

OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and openvpn uses port 7777.

        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
        openvpn:7777    net     2001:cec792b4:1::44
Example 8:

You have a tunnel that is not one of the supported types. Your tunnel uses UDP port 4444. The other end of the tunnel is 2001:cec792b4:1::44.

        #TYPE            ZONE    GATEWAY                GATEWAY ZONES
        generic:udp:4444 net     2001:cec792b4:1::44
Example 9:

TINC tunnel where the remote gateways are not specified. If you wish to specify a list of gateways, you can do so in the GATEWAY column.

        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
        tinc             net     ::/0




shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5), shorewall6-zones(5)


Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.4/4.5/4.6 Documentation

Shorewall 4.0/4.2 Documentation

Shorewall 5.0 HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Docker - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page