View previous topic :: View next topic |
Author |
Message |
tsftd n00b
Joined: 21 May 2011 Posts: 20 Location: Here
|
Posted: Fri Oct 12, 2012 3:29 am Post subject: OpenVPN as a complete encryption solution |
|
|
OK, so I've got OpenVPN installed and running, and can connect to it no problem. Unfortunately, at this point I'm starting to get out of my depth. After a couple of hours on google and searching this forum, I still can't really understand what I need to do or how to do it, so I'm asking for some help.
The goal is to set up a VPN to my server and route ALL of my traffic through it. I *could* of course use an SSH tunnel, but I'm trying to get a solution that needs to be set up once, and then works for everything, and from my understanding, a VPN is the best way to accomplish this (if not, please correct me). I need both the traffic AND the destination of that traffic to be encrypted (ie, a simple proxy will not work as the destination address is still visible to anyone snooping).
as a simple diagram, PC<-encrypted->Server<----->endpoint (for all traffic)
The server is Gentoo on a remote box, and the client is Windows 7. My client connects to the VPN, but has no internet access. I would assume that I need to set up some sort of routing to get it to forward the traffic, but I'm not sure exactly what I need. I've set up a Gentoo SOHO router before but this is a bit different, and I'd rather not bother with things such as firewalls (IPTables) if possible, as my computer is protected from this side and the server is fine as-is.
I know it's a bit of an open-ended question, but I'd appreciate any help.
openvpn.conf:
Code: | port [edited]
proto tcp
dev tun
ca privnet/ca.crt
cert privnet/server.crt
key privnet/server.key
dh privnet/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3 |
client conf:
Code: | client
dev tun
proto tcp
remote [edited address] [edited port]
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3 |
|
|
Back to top |
|
|
MacGyver031 Tux's lil' helper
Joined: 11 Jul 2004 Posts: 141 Location: Ilavalai, Sri Lanka
|
Posted: Fri Oct 12, 2012 8:46 am Post subject: |
|
|
Hi,
I have some experience in doing this.
a) You should use bridging and "server-bridge". This makes the whole project simple.
b) You should use tap, because tap is a ethernet device.
c) I have done a per-client decision.
d) Using udp (connection less), you can save some unnecessary traffic (ack).
So your server config should be modified (I have made a star where necessary):
Code: |
port [edited]
*proto udp
*dev tap0
ca privnet/ca.crt
cert privnet/server.crt
key privnet/server.key
dh privnet/dh1024.pem
* server-bridge
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
|
Server side you should bridge tap0 and ethernet interface.
On the client:
Code: |
client
*dev tap0
*proto udp
remote [edited address] [edited port]
*
*
*
*
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
*route-gateway <ROUTER_IP>
*redirect-gateway bypass-dhcp
|
What exactly happens: By bridging openvpn interface to internal network, you have access to your home-network. With the "route-gateway" and "redirect-gateway", the client uses the openvpn channel to send all request except the point-to-point connection to your router.
This works for me.
BR. _________________ Sincerely your
Joanand K.
MacBook Pro 5.1: 2.4GHz Core2 Duo, 4096MB, 500GB, NVidia 9400/9600 M GT
Gentoo, Kernel 3.4.9, XOrg, Fluxbox. |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Fri Oct 12, 2012 1:54 pm Post subject: |
|
|
Have you set up your server to do NAT for your OpenVPN clients? |
|
Back to top |
|
|
MacGyver031 Tux's lil' helper
Joined: 11 Jul 2004 Posts: 141 Location: Ilavalai, Sri Lanka
|
Posted: Fri Oct 12, 2012 4:10 pm Post subject: |
|
|
frostschutz wrote: | Have you set up your server to do NAT for your OpenVPN clients? |
If this is a question to me, then the answer is no. Because I use tap instead of tun and bridge eth0 with tap0 on serverside, I create a transparent link between the two endpoints. This puts my laptop virtually in my home network.
There is the implementation with tun, here one has to NAT. _________________ Sincerely your
Joanand K.
MacBook Pro 5.1: 2.4GHz Core2 Duo, 4096MB, 500GB, NVidia 9400/9600 M GT
Gentoo, Kernel 3.4.9, XOrg, Fluxbox. |
|
Back to top |
|
|
tsftd n00b
Joined: 21 May 2011 Posts: 20 Location: Here
|
Posted: Sun Oct 14, 2012 1:28 am Post subject: |
|
|
ok, after editing my conf file it throws the error (in syslog):
Code: | Oct 14 03:18:01 ks357547 openvpn[4058]: Options error: --ifconfig-pool-persist must be used with --ifconfig-pool
Oct 14 03:18:01 openvpn[4058]: Use --help for more information.
Oct 14 03:18:01 /etc/init.d/openvpn[4057]: start-stop-daemon: failed to start `/usr/sbin/openvpn'
Oct 14 03:18:01 /etc/init.d/openvpn[4044]: ERROR: openvpn failed to start
|
i commented out the line "ifconfig-pool-persist ipp.txt" and it works, of course i'm not sure if that causes a problem or not.
working on bridging now. |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Sun Oct 14, 2012 11:04 am Post subject: |
|
|
MacGyver031 wrote: | There is the implementation with tun, here one has to NAT. |
And here I thought you have to NAT when you have only one public internet IP but multiple machines (server, openvpn clients, local network) behind it.
I certainly didn't try bridging a local network into a server datacenter yet. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21648
|
Posted: Sun Oct 14, 2012 4:19 pm Post subject: |
|
|
frostschutz wrote: | And here I thought you have to NAT when you have only one public internet IP but multiple machines (server, openvpn clients, local network) behind it. | Yes, but that is not exactly what MacGyver031 is attempting. He wants the machines inside his LAN to think that the laptop is also inside the LAN, when in fact it is on the far end of the VPN. One way to achieve this is to issue its VPN interface an IP that the other LAN machines will consider to be local, then bridge its traffic into the LAN. Additional work would be needed if he wants the laptop to send publicly destined frames over the VPN, then out to the Internet from the home connection. This step would be useful if he expects to use the laptop on hostile networks (coffee shops, some hotels, etc.), but is unnecessary if the only point of the VPN is to access his home resources from elsewhere. |
|
Back to top |
|
|
MacGyver031 Tux's lil' helper
Joined: 11 Jul 2004 Posts: 141 Location: Ilavalai, Sri Lanka
|
Posted: Mon Oct 15, 2012 6:24 am Post subject: |
|
|
Quote: | endpoint (for all traffic) |
I think the configuration which I have shown should channel all traffic through the vpn.
Quote: | This step would be useful if he expects to use the laptop on hostile networks (coffee shops, some hotels, etc.), but is unnecessary if the only point of the VPN is to access his home resources from elsewhere. |
Hu has got it. One can also use it to make it hard for the hostile admin to track what I am doing. _________________ Sincerely your
Joanand K.
MacBook Pro 5.1: 2.4GHz Core2 Duo, 4096MB, 500GB, NVidia 9400/9600 M GT
Gentoo, Kernel 3.4.9, XOrg, Fluxbox. |
|
Back to top |
|
|
tsftd n00b
Joined: 21 May 2011 Posts: 20 Location: Here
|
Posted: Tue Oct 16, 2012 1:53 am Post subject: |
|
|
OK, so here's the deal on bridging: since it's a remote server, any time that I add eth0 to a bridge, it kills the net connection (dropping my ssh session). i'm following http://en.gentoo-wiki.com/wiki/Bridging_Network_Interfaces as a guide, obviously excepting that instead of eth1, it's tap0.
from this section ( http://en.gentoo-wiki.com/wiki/Bridging_Network_Interfaces#Configuration ), I have tried:
ifconfig eth0 up #skip since it's already up
ifconfig tap0 up #skip since tun0 is already up
brctl addbr br0 #ok
brctl addif br0 eth0 #at this point, the ssh dies
brctl addif br0 tap0
ifconfig br0 up
figuring that it would solve the problem (since the whole operation would take place regardless of the ssh dying), I tried the permanent setup:
in /etc/conf.d/net:
bridge_br0="eth0 tap0"
config_br0=( "[my server's ip] netmask 255.255.255.0" )
routes_br0=( "default gw [my server's default route]" )
config_eth0=( "null" )
rc_need_br0="net.eth0"
note that i just renamed the config and routes options from "eth0" to "br0"
i then make the link and start /etc/init.d/net.br0 ... and again, ssh dies. i know what's happening -- the eth0 is being added to the bridge, which apparently is either redirecting to null, or not properly set up to access the outside world, resulting in the server losing net connectivity. what i don't know is how to fix it ;p
sorry to impose so much.
config_br0=( |
|
Back to top |
|
|
MacGyver031 Tux's lil' helper
Joined: 11 Jul 2004 Posts: 141 Location: Ilavalai, Sri Lanka
|
Posted: Tue Oct 16, 2012 6:11 am Post subject: |
|
|
Here is my Config on the server.
Code: | tuntap_tap0="tap"
config_eth0="null"
config_tap0="null"
RC_NEED_br0="net.eth0 net.tap0"
depend_br0() {
need net.eth0 net.tap0
}
bridge_br0="eth0 tap0"
config_br0="192.168.2.1/24 brd 192.168.2.255"
|
the first line creates a tap0 ethernet-device, and will be bound to openvpn as soon as openvpn starts.
BR. _________________ Sincerely your
Joanand K.
MacBook Pro 5.1: 2.4GHz Core2 Duo, 4096MB, 500GB, NVidia 9400/9600 M GT
Gentoo, Kernel 3.4.9, XOrg, Fluxbox. |
|
Back to top |
|
|
tsftd n00b
Joined: 21 May 2011 Posts: 20 Location: Here
|
Posted: Tue Oct 16, 2012 6:27 am Post subject: |
|
|
much thanks, once i fix the server (which somehow blew up while working on this), I'll try it again. really a lifesaver, I've got a bit of an idea on this stuff but haven't really dealt with this side of it (more the routing side), and especially having a remote term where any mistake blows up the connection and i have to reboot into rescue, fix it, and try again, it would have taken forever.
EDIT:
So, i'm getting closer -- in fact, everything but the bridge is working. I highly suspect it to be this line:
Code: | config_br0="192.168.2.1/24 brd 192.168.2.255" |
now, I assumed that this needed to be replaced by my server's default eth0 config. but I appear to have been incorrect, as that didn't work. my server does not use DHCP, and has a static IP. however, this setting by you looks like it's actually a subnet range, so is that supposed to be for assigning an IP to the clients? and if so, how does the bridge get properly set up?
to be clear, here is my server config:
Code: | tuntap_tap0="tap"
config_eth0="null"
config_tap0="null"
RC_NEED_br0="net.eth0 net.tap0"
depend_br0() {
need net.eth0 net.tap0
}
bridge_br0="eth0 tap0"
config_br0=( "[server ip] netmask 255.255.255.0" )
routes_br0=( "default gw [default gateway ip]" ) |
and my standard config:
Code: | config_eth0=( "[server ip] netmask 255.255.255.0" )
routes_eth0=( "default gw [default gateway ip]" ) |
with my original (no bridge), i can connect to the server's vpn and it works as expected (ie, i can access server services, but not the internet as the bridge isn't there to transport the traffic). this means i'm sure the OpenVPN configs -- on both client and server -- are correct, and this bridge is the last hurdle. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|