| View previous topic :: View next topic |
| Author |
Message |
frising
n00b
Joined: 22 Jul 2003
Posts: 15
Location: Sweden
|
 Posted: Thu Oct 20, 2005 8:21 pm Post subject: OpenVPN setup between 2 servers |
 |
|
My goal was to create a secure VPN communication between two servers and to make it possible to use this VPN channel from any client on each server side. I had never really used VPN before so I decided to use OpenVPN because it isn't to hard to setup. If you find anyting stupid or something that could be improved, please let me know.
[Subnet L - 192.168.0.0/24] --eth0- [Server L] -eth1(DHCP)---- Internet ----(DHCP)eth0- [Server R] -eth1--- [Subnet R - 192.168.1.0/24]
[Server L]-tap0(IP from Server R)-eth1----Internet-----eth0-tap0(192.168.4.1)-[ServerR]
I decided to go for the ethernet bridging solution. This simply means that eth1 and the virtual network card to server L (tap0) will be merged into a single virtual card (br0) on the OpenVPN server.
Steps to do on Server R as root (OpenVPN server):
1. emerge openvpn bridge-utils
2. Add support for tap/tun and bridging in kernel.
| Quote: | Networking -> Networking options -> 802.1d Ethernet Bridging
Device Drivers -> Network device support -> Universal TUN/TAP device driver support |
3. You may have to do:
| Code: | mkdir /dev/net
mknod /dev/net/tun c 10 200 |
if /dev/net and /dev/net/tun does not exists.
4. Create a script for starting the tap0 device
nano -w /etc/init.d/net.tap0
| Code: | #!/sbin/runscript
start() {
ebegin "Bringing tap0 up"
/usr/sbin/openvpn --mktun --dev tap0
/sbin/ifconfig tap0 up
eend $?
}
stop() {
ebegin "Bringing tap0 down"
/sbin/ifconfig tap0 down
eend $?
}
|
5. Create a script for starting the bridge
| Code: | | ln -s /etc/init.d/net.lo /etc/init.d/net.br0 |
nano -w /etc/conf.d/net
| Code: | #
# eth0
#
iface_eth0="dhcp"
dhcpcd_eth0="-N"
#
# eth1
#
# iface_eth1="192.168.1.1 broadcast 192.168.1.255 netmask 255.255.255.0"
iface_eth1=( "null" )
# br0
depend_br0() {
need net.tap0 net.eth1
}
brctl_br0=( "setfd 0" "sethello 0" "stp off" )
bridge_br0="tap0 eth1"
config_br0=( "192.168.1.1/24" ) |
Then do
| Code: | | rc-update add net.br0 default |
6. Create a directory in /etc/openvpn for the server configuration. Then create local.conf in that directory.
local.conf
| Code: | #
# OpenVPN 2.0 server configuration
#
# server: Server R
# client: Server L
#
# Which TCP/UDP port should OpenVPN listen on?
port 1195
# TCP or UDP server?
proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
dev tap0
# Configure server mode for ethernet bridging.
server-bridge 192.168.1.1 255.255.255.0 192.168.1.100 192.168.1.120
# Certificates and keys
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
tls-auth keys/tls-auth.key 0
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 1
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
user nobody
group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4 |
7. Create a directory called keys in the directory you created above. Generate the following certificates and keys:
| Code: | keys/ca.crt
keys/server.crt
keys/server.key
keys/dh1024.pem
keys/tls-auth.key
|
and the keys for Server L:
| Code: | client.crt
client.key
|
by first studying http://openvpn.net/howto.html.
8. Restart eth1 and startup the bridge and the openvpn server.
| Code: | /etc/init.d/net.net1 restart
/etc/init.d/net.br0 start
/etc/init.d/openvpn start |
| Code: | | rc-update add openvpn default |
9. Make the traffic to Server L from the local LAN at Server R go via the VPN channel.
| Code: | route add -net 192.168.0.0 netmask 255.255.255.0 dev br0
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1 dev br0 |
if this isn't done the server R won't be able to reach the 192.168.0.0 subnet on server L, because server R will route that traffic to the default destination, internet. Note that server R can reach the server Ls virtual IP address in any case.
10. Configure your firewall to allow communication as you like. If you use shorewall the routeback option can be interesting for the br0 interface in /etc/shorewall/interfaces. With that option the Server L will be able to contact the 192.168.1.0 subnet on Server R.
Steps to do on the client as root:
1. emerge openvpn
2. Add support for tap/tun and bridging in kernel.
Device Drivers -> Network device support -> Universal TUN/TAP device driver support
3. You may have to do:
| Code: | mkdir /dev/net
mknod /dev/net/tun c 10 200 |
if /dev/net and /dev/net/tun does not exists.
4. Create a new directory in /etc/openvpn/ for the Server L configuration.
5. Add a file in that directory called local.conf
local.conf
| Code: | #
# OpenVPN client configuration
#
# client: Server L
# server: Server R
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Device type
dev tap
# tcp or udp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote [Server R] 1195
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# Certificates and keys
tls-client
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
tls-auth keys/tls-auth.key 1
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 4 |
6. Transfer over a secure channel (perhaps scp) the necessary certificates and keys to the client according to the howto http://openvpn.net/howto.html.
7. Start the VPN client
| Code: | | /etc/init.d/openvpn start |
| Code: | | rc-update add openvpn default |
8. Modify the firewall settings at server L to allow communication as you like.
9. Enjoy
I hope that I haven't missed any important step...
Good luck!
Philip
Ref material:
http://openvpn.net/howto.html
http://openvpn.net/bridge.html
https://forums.gentoo.org/viewtopic-t-184737.html
http://www.shorewall.net/OPENVPN.html |
|
| Back to top |
|
 |
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
