diff options
-rwxr-xr-x | Generate | 16 |
1 files changed, 12 insertions, 4 deletions
@@ -281,7 +281,6 @@ $config['hosts'].each_pair{ |name, host| host['name'] = name host['vpn_address'] = $config['prefix']+'.'+host['host_no'].to_s host['vpn_address6'] = $config['prefix6']+':'+host['host_no'].to_s - host['inet_port'] = $config['baseport']+host['host_no'] host['asn'] = $config['baseasn']+host['host_no'] host['ifacename'] = "tun-n2-#{host['name']}"[0..14] iface_dup_check[host['ifacename']] = true @@ -314,6 +313,14 @@ hostlist.each{ |host| "peer" => ipv6_link_local_peer } } + + host['inet_port'] = {} + host['peers'].each{ |peer| + host['inet_port'][ peer['name'] ] = { + "remote" => $config['baseport']+host['host_no'], + "local" => $config['baseport']+peer['host_no'] + } + } } throw "Duplicate iface names" unless iface_dup_check.size == $config['hosts'].size @@ -593,8 +600,8 @@ hostlist.each{ |host| mtu = 1200 conffile.puts "fragment #{mtu}" conffile.puts "ifconfig %s %s"%[host['vpn_address'], peer['vpn_address']] - conffile.puts "rport %s"%[host['inet_port']] - conffile.puts "lport %s"%[peer['inet_port']] + conffile.puts "rport #{host['inet_port'][ peer['name'] ]['remote']}" + conffile.puts "lport #{host['inet_port'][ peer['name'] ]['local']}" conffile.puts "remote %s"%[peer['host_address']] if peer['host_address'] conffile.puts "local %s"%[host['host_address']] if host['host_address'] if host_is_server @@ -633,8 +640,9 @@ hostlist.each{ |host| File.chmod(0755, upscriptname) == 1 or throw "Cannot chmod #{upscriptname}" ########## + # do not filter on remote port as NAT gateways may change ports iptables.puts "iptables --append vpn-#{$NAMESPACE} --source #{ peer['host_address'] || '0.0.0.0/0' } --destination #{ host['host_address'] || '0.0.0.0/0' } \\" - iptables.puts " --protocol udp --destination-port #{ peer['inet_port'] } \\" + iptables.puts " --protocol udp --destination-port #{ host['inet_port'][ peer['name'] ]['local'] } \\" iptables.puts " --jump ACCEPT" iptables.puts "iptables --append vpn-#{$NAMESPACE} --source #{ peer['vpn_address'] } --destination #{ host['vpn_address'] } \\" |