Archive for the linux Category

On linux, by default, even when you have multiple network interfaces, you can only have 1 default gateway. This wasn’t working out for me because I had traffic coming in from network 2 routed back to the originator through network 1 and dropped because return packets were coming from an unknown source. Using the old route tool, you are only able to specify a specific gateway for a specific network, but this wouldn’t work out because traffic from both network 2 and 1 came from the internet. We couldn’t segment on that. So what to do?

iproute2 to the rescue!

You can set up rules that traffic from a specific IP address on a specific interface is routed through a separate gateway than the default gateway. Here’s the code I used:


echo "1 rt2" >> /etc/iproute2/rt_tables
ip route add 192.168.2.0/24 dev tun0 src 192.168.2.2 table rt2
ip route add default via 192.168.2.1 dev tun0 table rt2
ip rule add from 192.168.2.2/32 table rt2
ip rule add to 192.168.2.2/32 table rt2

192.168.2.0 is network 2.
192.168.2.2 is the 2nd IP address on network 2.
192.168.2.1 is network 2 gateway.

This should work without disrupting regular traffic on the default gateway. Only traffic received from the secondary NIC/IP will be routed to the secondary gateway.

More reading…

OpenVPN Installation

| September 3rd, 2010

UPDATE: I realize I cannot cover everything in one post, so I’m breaking my openvpn discussions into several sessions as I work on openvpn. This first session will just be about installing and connecting client(s) to one server without any routing.

I keep forgetting how to configure OpenVPN and it’s so annoying reading the same HOWTO a dozen times! The problem is I only setup VPN once a year and I forget it afterwards, so this post is partially for my own personal reference.

sudo apt-get install openvpn

Decision #1 (out of many!) – PKI (Public Key Infrastructure) or Static keys..

PKI:  More complex to setup, but more secure, supports multiple clients
Static: Very simple to setup (1 command), insecure (all traffic could be decrypted if the static.key file is lost), only supports 1 client

Static Keys Setup:

The openVPN tutorial is simple enough to follow so I am just going to link it here. You can add commands such as port 443 or proto tcp-server and route, but be warned! Push commands do not work from the server! You need some tls-mode which is not available using a static key. I wasted some time trying to debug this and wondered why my push commands were not being honored until I explicitly placed pull in the client config and found out:

Options error: Parameter –pull can only be specified in TLS-mode, i.e. where –tls-server or –tls-client is also specified.

Public Key Infrastructure (PKI) Setup:

# setup CA & key-generating server
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown bashusr: /etc/openvpn/easy-rsa

# create keys
vi /etc/openvpn/easy-rsa/vars # set defaults for state, country, email, etc.
source vars
./clean-all
./build-ca
./build-dh

./build-key-server server

./build-key no_password_client
./build-key-pass client_with_password

cd keys
cp ca.crt server.crt server.key dh1024.pem /etc/openvpn/

scp ca.crt no_password_client.crt no_password_client.key remoteclient:/etc/openvpn/

# you can find this configuration file online here too
sudo bash -c ‘gzip -dc /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf’

Choices choices… At this point, you (or I?) have to decide whether to do ethernet bridging or routing, here’s a simple rundown:

TUN: Ethernet Routing (different networks), good for site to site, client to site, or site to client connections

TAP: Ethernet Bridging (same network), good for client to site – simplified setup (setup instructions)

(Note to self, you’ll need to use TUN if you want to do any routing!)

Go through the config file reading the descriptions to each line. Remember, this is just a reference… you should have a general idea what you want to do with the IP addresses, if not… read the full howto! You shouldn’t be here! After you’re done, create a corresponding client.conf and install it on the client. Then test the configuration using:

openvpn –config CONFIGFILE.conf

If the connection establishes, you’re all set! Now, make sure if you’re behind a router, that you forward the appropriate ports so you can connect from outside your network. Also, setup the service (on ubuntu, you don’t have to do anything) so it runs automatically on startup.

/etc/init.d/openvpn start

Stay tuned for future posts on VPN routing…