[Openswan Users] perl script; handing out /30 with dhcpd
Arn Vollebregt
arn.vollebregt at xs4all.nl
Sun Dec 30 17:54:11 EST 2007
Hi,
I made a Perl script which dynamically configures dhcpd to only hand out
ip's from randomly generated /30 subnets. In case anybody is interested in
this, it can be found at http://82.92.8.139/projects/slash30dhcpd/ . Please
note that for now it will probably only work in a stand-alone environment,
as I did not test it with other dhcpd configurations alongside it.
Now why would I want to make such a script, and what is it's relation with
Openswan?
My goal with running IPSEC is simple; encrypt all traffic on a LAN. As I
wish to support the windows native IPSEC clients L2TP comes into play, which
is where my problem is born: (windows) L2TP clients encrypt all traffic
which goes through the gateway, but not the traffic which goes to the same
subnet (as opposed to pure IPSEC). Makes sense on it's own, but that is not
what I want. After a conversation on #openswan about this we came to the
conclusion that the closest one could get to this is to hand out /30 subnets
on your network, so that effectively all traffic from the L2TP clients goes
through the gateway, and thus gets encrypted. I added a random factor to the
story to avoid prediction of the subnets in use.
As I am not a fan of manually configuring a /30 subnet for every new
computer on the LAN, I decided to write a perl script for this. I am hardly
a Perl expert, so no doubt things could be a bit more optimized. It however
does what it is supposed to, so for now I deemed it v1.0 worthy. Nonetheless
comments and ideas are always welcome :) Below is an excerpt from the
README;
3. WHAT DOES IT DO
* Generate a random /30 subnet, within a specified range.
* Configure the next free virtual interface on the specified network
adapter with an IP from the generated subnet, and restart dhcpd since
it does not automatically track changes in it's configuration file.
* When the lease is actually handed out, configure iptables to allow
certain traffic on the new subnet (IPSEC by default).
* Start from beginning.
* Undo all configurations on dhcp release.
Regards,
Arn Vollebregt
More information about the Users
mailing list