Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenVPN as a complete encryption solution
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
tsftd
n00b
n00b


Joined: 21 May 2011
Posts: 19
Location: Here

PostPosted: Fri Oct 12, 2012 3:29 am    Post subject: OpenVPN as a complete encryption solution Reply with quote

OK, so I've got OpenVPN installed and running, and can connect to it no problem. Unfortunately, at this point I'm starting to get out of my depth. After a couple of hours on google and searching this forum, I still can't really understand what I need to do or how to do it, so I'm asking for some help.

The goal is to set up a VPN to my server and route ALL of my traffic through it. I *could* of course use an SSH tunnel, but I'm trying to get a solution that needs to be set up once, and then works for everything, and from my understanding, a VPN is the best way to accomplish this (if not, please correct me). I need both the traffic AND the destination of that traffic to be encrypted (ie, a simple proxy will not work as the destination address is still visible to anyone snooping).

as a simple diagram, PC<-encrypted->Server<----->endpoint (for all traffic)

The server is Gentoo on a remote box, and the client is Windows 7. My client connects to the VPN, but has no internet access. I would assume that I need to set up some sort of routing to get it to forward the traffic, but I'm not sure exactly what I need. I've set up a Gentoo SOHO router before but this is a bit different, and I'd rather not bother with things such as firewalls (IPTables) if possible, as my computer is protected from this side and the server is fine as-is.

I know it's a bit of an open-ended question, but I'd appreciate any help.

openvpn.conf:
Code:
port [edited]
proto tcp
dev tun
ca privnet/ca.crt
cert privnet/server.crt
key privnet/server.key
dh privnet/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3


client conf:
Code:
client
dev tun
proto tcp
remote [edited address] [edited port]
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
Back to top
View user's profile Send private message
MacGyver031
Tux's lil' helper
Tux's lil' helper


Joined: 11 Jul 2004
Posts: 140
Location: Ilavalai, Sri Lanka

PostPosted: Fri Oct 12, 2012 8:46 am    Post subject: Reply with quote

Hi,
I have some experience in doing this.
a) You should use bridging and "server-bridge". This makes the whole project simple.
b) You should use tap, because tap is a ethernet device.
c) I have done a per-client decision.
d) Using udp (connection less), you can save some unnecessary traffic (ack).

So your server config should be modified (I have made a star where necessary):
Code:

port [edited]
*proto udp
*dev tap0
ca privnet/ca.crt
cert privnet/server.crt
key privnet/server.key
dh privnet/dh1024.pem
* server-bridge
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3


Server side you should bridge tap0 and ethernet interface.

On the client:
Code:

client
*dev tap0
*proto udp
remote [edited address] [edited port]
*
*
*
*
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
*route-gateway <ROUTER_IP>
*redirect-gateway bypass-dhcp


What exactly happens: By bridging openvpn interface to internal network, you have access to your home-network. With the "route-gateway" and "redirect-gateway", the client uses the openvpn channel to send all request except the point-to-point connection to your router.

This works for me.

BR.
_________________
Sincerely your
Joanand K.

MacBook Pro 5.1: 2.4GHz Core2 Duo, 4096MB, 500GB, NVidia 9400/9600 M GT
Gentoo, Kernel 3.4.9, XOrg, Fluxbox.
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2441
Location: Germany

PostPosted: Fri Oct 12, 2012 1:54 pm    Post subject: Reply with quote

Have you set up your server to do NAT for your OpenVPN clients?
Back to top
View user's profile Send private message
MacGyver031
Tux's lil' helper
Tux's lil' helper


Joined: 11 Jul 2004
Posts: 140
Location: Ilavalai, Sri Lanka

PostPosted: Fri Oct 12, 2012 4:10 pm    Post subject: Reply with quote

frostschutz wrote:
Have you set up your server to do NAT for your OpenVPN clients?

If this is a question to me, then the answer is no. Because I use tap instead of tun and bridge eth0 with tap0 on serverside, I create a transparent link between the two endpoints. This puts my laptop virtually in my home network.

There is the implementation with tun, here one has to NAT.
_________________
Sincerely your
Joanand K.

MacBook Pro 5.1: 2.4GHz Core2 Duo, 4096MB, 500GB, NVidia 9400/9600 M GT
Gentoo, Kernel 3.4.9, XOrg, Fluxbox.
Back to top
View user's profile Send private message
tsftd
n00b
n00b


Joined: 21 May 2011
Posts: 19
Location: Here

PostPosted: Sun Oct 14, 2012 1:28 am    Post subject: Reply with quote

ok, after editing my conf file it throws the error (in syslog):
Code:
Oct 14 03:18:01 ks357547 openvpn[4058]: Options error: --ifconfig-pool-persist must be used with --ifconfig-pool
Oct 14 03:18:01 openvpn[4058]: Use --help for more information.
Oct 14 03:18:01 /etc/init.d/openvpn[4057]: start-stop-daemon: failed to start `/usr/sbin/openvpn'
Oct 14 03:18:01 /etc/init.d/openvpn[4044]: ERROR: openvpn failed to start


i commented out the line "ifconfig-pool-persist ipp.txt" and it works, of course i'm not sure if that causes a problem or not.

working on bridging now.
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2441
Location: Germany

PostPosted: Sun Oct 14, 2012 11:04 am    Post subject: Reply with quote

MacGyver031 wrote:
There is the implementation with tun, here one has to NAT.


And here I thought you have to NAT when you have only one public internet IP but multiple machines (server, openvpn clients, local network) behind it.

I certainly didn't try bridging a local network into a server datacenter yet.
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8845

PostPosted: Sun Oct 14, 2012 4:19 pm    Post subject: Reply with quote

frostschutz wrote:
And here I thought you have to NAT when you have only one public internet IP but multiple machines (server, openvpn clients, local network) behind it.
Yes, but that is not exactly what MacGyver031 is attempting. He wants the machines inside his LAN to think that the laptop is also inside the LAN, when in fact it is on the far end of the VPN. One way to achieve this is to issue its VPN interface an IP that the other LAN machines will consider to be local, then bridge its traffic into the LAN. Additional work would be needed if he wants the laptop to send publicly destined frames over the VPN, then out to the Internet from the home connection. This step would be useful if he expects to use the laptop on hostile networks (coffee shops, some hotels, etc.), but is unnecessary if the only point of the VPN is to access his home resources from elsewhere.
Back to top
View user's profile Send private message
MacGyver031
Tux's lil' helper
Tux's lil' helper


Joined: 11 Jul 2004
Posts: 140
Location: Ilavalai, Sri Lanka

PostPosted: Mon Oct 15, 2012 6:24 am    Post subject: Reply with quote

Quote:
endpoint (for all traffic)

I think the configuration which I have shown should channel all traffic through the vpn.

Quote:
This step would be useful if he expects to use the laptop on hostile networks (coffee shops, some hotels, etc.), but is unnecessary if the only point of the VPN is to access his home resources from elsewhere.

Hu has got it. One can also use it to make it hard for the hostile admin to track what I am doing.
_________________
Sincerely your
Joanand K.

MacBook Pro 5.1: 2.4GHz Core2 Duo, 4096MB, 500GB, NVidia 9400/9600 M GT
Gentoo, Kernel 3.4.9, XOrg, Fluxbox.
Back to top
View user's profile Send private message
tsftd
n00b
n00b


Joined: 21 May 2011
Posts: 19
Location: Here

PostPosted: Tue Oct 16, 2012 1:53 am    Post subject: Reply with quote

OK, so here's the deal on bridging: since it's a remote server, any time that I add eth0 to a bridge, it kills the net connection (dropping my ssh session). i'm following http://en.gentoo-wiki.com/wiki/Bridging_Network_Interfaces as a guide, obviously excepting that instead of eth1, it's tap0.

from this section ( http://en.gentoo-wiki.com/wiki/Bridging_Network_Interfaces#Configuration ), I have tried:

ifconfig eth0 up #skip since it's already up
ifconfig tap0 up #skip since tun0 is already up
brctl addbr br0 #ok
brctl addif br0 eth0 #at this point, the ssh dies
brctl addif br0 tap0
ifconfig br0 up

figuring that it would solve the problem (since the whole operation would take place regardless of the ssh dying), I tried the permanent setup:

in /etc/conf.d/net:
bridge_br0="eth0 tap0"
config_br0=( "[my server's ip] netmask 255.255.255.0" )
routes_br0=( "default gw [my server's default route]" )
config_eth0=( "null" )
rc_need_br0="net.eth0"

note that i just renamed the config and routes options from "eth0" to "br0"

i then make the link and start /etc/init.d/net.br0 ... and again, ssh dies. i know what's happening -- the eth0 is being added to the bridge, which apparently is either redirecting to null, or not properly set up to access the outside world, resulting in the server losing net connectivity. what i don't know is how to fix it ;p

sorry to impose so much.
config_br0=(
Back to top
View user's profile Send private message
MacGyver031
Tux's lil' helper
Tux's lil' helper


Joined: 11 Jul 2004
Posts: 140
Location: Ilavalai, Sri Lanka

PostPosted: Tue Oct 16, 2012 6:11 am    Post subject: Reply with quote

Here is my Config on the server.
Code:
tuntap_tap0="tap"
config_eth0="null"
config_tap0="null"

RC_NEED_br0="net.eth0 net.tap0"

depend_br0() {
        need net.eth0 net.tap0
}
bridge_br0="eth0 tap0"
config_br0="192.168.2.1/24 brd 192.168.2.255"


the first line creates a tap0 ethernet-device, and will be bound to openvpn as soon as openvpn starts.

BR.
_________________
Sincerely your
Joanand K.

MacBook Pro 5.1: 2.4GHz Core2 Duo, 4096MB, 500GB, NVidia 9400/9600 M GT
Gentoo, Kernel 3.4.9, XOrg, Fluxbox.
Back to top
View user's profile Send private message
tsftd
n00b
n00b


Joined: 21 May 2011
Posts: 19
Location: Here

PostPosted: Tue Oct 16, 2012 6:27 am    Post subject: Reply with quote

much thanks, once i fix the server (which somehow blew up while working on this), I'll try it again. really a lifesaver, I've got a bit of an idea on this stuff but haven't really dealt with this side of it (more the routing side), and especially having a remote term where any mistake blows up the connection and i have to reboot into rescue, fix it, and try again, it would have taken forever.

EDIT:

So, i'm getting closer -- in fact, everything but the bridge is working. I highly suspect it to be this line:
Code:
config_br0="192.168.2.1/24 brd 192.168.2.255"

now, I assumed that this needed to be replaced by my server's default eth0 config. but I appear to have been incorrect, as that didn't work. my server does not use DHCP, and has a static IP. however, this setting by you looks like it's actually a subnet range, so is that supposed to be for assigning an IP to the clients? and if so, how does the bridge get properly set up?

to be clear, here is my server config:
Code:
tuntap_tap0="tap"
config_eth0="null"
config_tap0="null"

RC_NEED_br0="net.eth0 net.tap0"

depend_br0() {
        need net.eth0 net.tap0
}
bridge_br0="eth0 tap0"
config_br0=( "[server ip] netmask 255.255.255.0" )
routes_br0=( "default gw [default gateway ip]" )


and my standard config:
Code:
config_eth0=( "[server ip] netmask 255.255.255.0" )
routes_eth0=( "default gw [default gateway ip]" )


with my original (no bridge), i can connect to the server's vpn and it works as expected (ie, i can access server services, but not the internet as the bridge isn't there to transport the traffic). this means i'm sure the OpenVPN configs -- on both client and server -- are correct, and this bridge is the last hurdle.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum