Archive for the openvpn Category

Masquerade NAT OpenVPN

| September 23rd, 2010

Not a full tutorial, but pointers to how I set up Masquerade NAT OpenVPN.

Primary Reading: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing

OpenVPN Host: has a network that needs to NAT into OpenVPN client network. Internal IP: 192.168.1.5; VPN IP: 10.0.10.1/24
OpenVPN Client: NAT to internal network(s). VPN IP: 10.0.10.6; Internal network: 192.168.2.0/24

You HAVE to use client/server – no static or bridging! So you have to use TUN (makes sense since you’re doing routing here).

Start simple – Try to get the host talking with the client’s internal network before attempting, then add the rest of the network. Remember to diagnose the small pieces before trying to make sure the whole thing works.

Ok, finally commands needed:

You definitely need to set ccd and iroute. In the example, set in the server.conf:

push “route 192.168.1.0 255.255.255.0″
route 192.168.2.0 255.255.255.0

In ccd/client, place:

iroute 192.168.2.0 255.255.255.0 # let’s openvpn know to route packets to this client

That’s all you should have to do on openvpn. The rest is routing… Let’s start on the client…

enable net.ipv4.ip_forward=1 in /etc/sysctl.conf (and if you don’t want to restart, echo 1 > /proc/sys/net/ipv4/ip_forward)

Add the masquerading rule to the iptables:

iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
iptables –append FORWARD –in-interface eth1 -j ACCEPT

Ping a client internal IP address from the openvpn host such as 192.168.2.1. troubleshoot troubleshoot troubleshoot…

After you get that going, let’s allow the whole openvpn host network to communicate to the client network. Enable IP forwarding on the openvpn host computer  with the same enable net.ipv4.ip_forward=1 in /etc/sysctl.conf (and if you don’t want to restart, echo 1 > /proc/sys/net/ipv4/ip_forward).

On your router (in 192.168.1.0/24 network), add a routing table such as:

network: 192.168.2.0 netmask: 255.255.255.0 gateway: 192.168.1.5

Test from another computer and that should conclude the setup…. It annoying took me several hours to come to these very simple commands.

Of course, don’t use 192.168.x.x – it’s just too crowded and you risk having overlaps unless you know for sure no one will ever connect remotely from a public network that is using one of these IPs. You are better off with a seldom used private block such as 172.16.0.0.

OpenVPN TAP Bridge

| September 4th, 2010

Again, we assume you have the initial config working

We’ll be creating a bridge from the client to the local network.

First make sure bridge-utils is installed:

sudo apt-get install bridge-utils
Let's get that default config file out again:
sudo bash -c 'gzip -dc /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/bridge-vpn.conf'
sudo cp /usr/share/doc/openvpn/examples/sample-scripts/bridge-* /etc/openvpn/

Like the other site to client (Road warrior) config, you need to enable ip_forward, refer to my previous post.

Configure bridge-vpn.conf and change the following:

#vim syntax :-)
:%s/dev tun/dev tap0/cg
:%s/^server.*/server-bridge VPNSERVERIP LOCALNETWORKMASK STARTIPLEASE ENDIPLEASE/c
# for example, server-bridge 192.168.50.10 255.255.255.0 192.168.50.130 192.168.50.150

Edit bridge-start editing the same VPNSERVERIP, netmask, and broadcast address in this file. I had to add to the end of the script:

route del $gw
route del default gw $gw $eth
route add default gw $gw $br

because my routing tables was empty when br0 would come online, I don’t know why.

I also added service network-manager restart in bridge-stop to restore my eth0 settings.

After this, I created a client.conf and the appropriate client keys and set dev tun too. I connected to the system and wala! pinging other computers in the local network works.

Original Reference: OpenVPN Ethernet Bridging

This post assumes you have a working vpn connection as outlined in my last post and you are using a TUN device. A properly set TAP VPN automatically has access to whatever network the host VPN server has access to.

Site to Client (Road Warrior) Setup:

First thing to do is make sure ip_forwarding is enabled on the server.

grep ip_forward /etc/sysctl.conf # ubuntu (maybe debian specific?), it’s somewhere else on redhat and other distros
net.ipv4.ip_forward=1

If it is not enabled, enable it and do a

echo 1 > /proc/sys/net/ipv4/ip_forward

If not, you’ll have to restart your system for the /etc/sysctl.conf settings to take effect.

Next, add push “route MYNETWORK MYSUBMASK” on the server.conf, for example push “route 192.168.50.0 255.255.255.0″ if you are using PKI.

This will NOT work if you’re using a static key because static key clients do not honor push commands. If you’re using static, you have to add route MYNETWORK  MYSUBMASK to the client.conf.

You’re done if the vpn server happens to also be your default gateway/router for your network such as a DD-WRT, IPCop, or PFSense. If you’re like me, and your VPN server is different from your router, go into your router and add a route so that traffic can go back to your client. The interfaces are different, but you effectively have to add:

route add -net VPNNETWORK netmask VPNSUBMASK gw VPNSERVERIP dev lan0

Ping an internal lan ip address from a vpn client and it should work… If not, double check your routes and make sure you established a path to the internal network and back to the client. Remember, even if a connection starts from a client, it still is a 2 way connection! There needs to exist a path for packets to be sent back to the client (usually… =P unless you want to only send ping requests and get no replies!).

OpenVPN Installation

| September 3rd, 2010

UPDATE: I realize I cannot cover everything in one post, so I’m breaking my openvpn discussions into several sessions as I work on openvpn. This first session will just be about installing and connecting client(s) to one server without any routing.

I keep forgetting how to configure OpenVPN and it’s so annoying reading the same HOWTO a dozen times! The problem is I only setup VPN once a year and I forget it afterwards, so this post is partially for my own personal reference.

sudo apt-get install openvpn

Decision #1 (out of many!) – PKI (Public Key Infrastructure) or Static keys..

PKI:  More complex to setup, but more secure, supports multiple clients
Static: Very simple to setup (1 command), insecure (all traffic could be decrypted if the static.key file is lost), only supports 1 client

Static Keys Setup:

The openVPN tutorial is simple enough to follow so I am just going to link it here. You can add commands such as port 443 or proto tcp-server and route, but be warned! Push commands do not work from the server! You need some tls-mode which is not available using a static key. I wasted some time trying to debug this and wondered why my push commands were not being honored until I explicitly placed pull in the client config and found out:

Options error: Parameter –pull can only be specified in TLS-mode, i.e. where –tls-server or –tls-client is also specified.

Public Key Infrastructure (PKI) Setup:

# setup CA & key-generating server
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown bashusr: /etc/openvpn/easy-rsa

# create keys
vi /etc/openvpn/easy-rsa/vars # set defaults for state, country, email, etc.
source vars
./clean-all
./build-ca
./build-dh

./build-key-server server

./build-key no_password_client
./build-key-pass client_with_password

cd keys
cp ca.crt server.crt server.key dh1024.pem /etc/openvpn/

scp ca.crt no_password_client.crt no_password_client.key remoteclient:/etc/openvpn/

# you can find this configuration file online here too
sudo bash -c ‘gzip -dc /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf’

Choices choices… At this point, you (or I?) have to decide whether to do ethernet bridging or routing, here’s a simple rundown:

TUN: Ethernet Routing (different networks), good for site to site, client to site, or site to client connections

TAP: Ethernet Bridging (same network), good for client to site – simplified setup (setup instructions)

(Note to self, you’ll need to use TUN if you want to do any routing!)

Go through the config file reading the descriptions to each line. Remember, this is just a reference… you should have a general idea what you want to do with the IP addresses, if not… read the full howto! You shouldn’t be here! After you’re done, create a corresponding client.conf and install it on the client. Then test the configuration using:

openvpn –config CONFIGFILE.conf

If the connection establishes, you’re all set! Now, make sure if you’re behind a router, that you forward the appropriate ports so you can connect from outside your network. Also, setup the service (on ubuntu, you don’t have to do anything) so it runs automatically on startup.

/etc/init.d/openvpn start

Stay tuned for future posts on VPN routing…