openvpn configuration
Kerry Hoath
kerry at gotss.net
Sat May 16 03:18:53 EDT 2009
Here is a quick summary of vpns, you will really need to go read the howto
if you're serious about getting this to work. It is far from trivial and the
time you spend setting this up might not be worth the effort.
Have you considered hamachi www.hamachi .cc I know the free services have
security problems but might do what you want.
openvpn: accessing the internet from remote pcs using home net connection,
This is possibly far more complex than you think...
A vpn is a virtual private network.
A virtual private network is using the internet to carry secure trafic from
one machine or subnet to another over a virtual connection.
This is virtual in the sense that the network adapter on each end of the vpn
does not physically exist, it is a software construct.
Regardless of this you need to decide how you want to handle trafic as far
as routing and the like. Let us work an example.
We have a home pc that we wish to access over the internet from an arbitory
location.
for ease we'll assume the ip of the home pc is static, and behind a nat
router or similar.
Internet hands us 123.123.123.123 on the home pc and we have an internal ip
of 192.168.1.100
we want access to 192.168.1.100 when we connect in from our pc wherever it
is.
there are 2 ways to achieve this with openvpn, with a bridged vpn or a
routed vpn, we'll briefly explain both:
routed vpn: This style of vpn needs an ip address for each end of the vpn
link, and you route trafic over the vpn to the remote endpoint. we'll make
the addresses for the vpn different to distinguish them.
we've decided that our vpn subnet will be 10.20.30.0/30 with addresses taken
from this range.
you are using static keys so we have one client and one server.
your server will be 10.20.30.2 and your client will be 10.20.30.3 on the
vpn.
These are addresses used by openvpn itself to route trafic.
this means on the client we will end up with a point to point link from
10.20.30.3 to 10.20.30.2.
ON the server it is from 10.20.30.2 to 10.20.30.3
If we set stuff up correctly we can talk to your home pc on either the
actual address or the virtual one.
we tell the client it is to connect to 123.123.123.123 so we use
remote 123.123.123.123 1194
on 123.123.123.123 we forward port 1194 to internal host 192.168.1.100.
the 2 openvpn processes connect and you end up with a tun interface under
Windows with
10.20.30.3 pointopoint 10.20.30.2 netmask 255.255.255.252
If you have ipv4 forwarding enabled on your home pc, you can now talk to
10.20.30.2 from your remote client, and also 192.168.1.100 but you can't get
to the internet from here and you can't get to anything else on your subnet.
To get to the rest of your home subnet your router machine needs to have a
route back to the vpn box i.e. 10.20.30.0/30 gw vpnbox
If you don't have ip forwarding enabled you'll reach 10.20.30.2 and nothing
else however usually most services listen on 0.0.0.0 so this will allow you
to ssh in or use a proxy on that box etc.
What we have is a routed vpn. Trafic destined for 10.20.30.2 from your
remote takes this path:
remote box, 10.20.30.3 -> encapsulate in ethernet frame and compress, tunnel
over vpn.
vpn sends packets to remote 123.123.123.123 on port 1194 packets are
decapsulated and received on tun0 of server to address 10.20.30.2
If you want to access the internet from your remote pc using your home
internet connection you need to arrange for the vpn server to nat for
10.20.30.0/30 using iptables.
Firewall must accept all trafic from tun0, and allow ip forwarding between
tun0 and your internet facing interface.
If you set the default gateway to your home vpn box without taking special
steps you'll knock out the ability of the client to send packets to the
internet thereby stopping the vpn dead in its tracks.
Essentially resetting the default route will knock the tree branch that you
are standing on out from under you.
What needs to happen is a route to 123.123.123.123/32 needs to go through
your current default gateway _before_ you set your 0.0.0.0 route to point to
10.20.30.2.
bridged solution:
An ethernet bridge is a device that connects 2 network segments together.
The Linux bridging code and the Windows code supports spanning tree and will
take care of trafic loops.
To do a bridged vpn you need to use tap0 not tun0. tap0 deals with ethernet
frames and can pass any protocol not just tcp/ip.
configure a bridge on the linux box with something like
openvpn mktun tap0
brctl addbr br0
brctl addif br0 eth0 tap0
ifconfig br0 192.168.1.100.
the ip address needs to be assigned to the bridge, not any of the indevidual
interfaces on the bridge.
Debian's ifup and ifdown scripts have support for bridges, you want a bridge
between your ethernet and tap0 interface, googling will give you solutions
to this.
once you connect to the bridge under Windows, you end up with a virtual
interface connected to your remote subnet.
You get handed an address either by openvpn's bridging code, or the remote
dhcp server on your remote subnet.
Problem is if you get handed a default gateway you'll knock out your
connection to the internet.
On our earlier example you will end up with an address on the
192.168.100.0/24 subnet on your client's tap0.
You won't have a default gateway though so either use a proxy or investigate
routed vpn.
Talk to me off-list about possibly getting the openpn book if you really
want to persist with this.
Regards, Kerry.
----- Original Message -----
From: "Tyler Littlefield" <tyler at tysdomain.com>
To: "Speakup is a screen review system for Linux." <speakup at braille.uwo.ca>
Sent: Friday, May 15, 2009 11:44 PM
Subject: Re: openvpn configuration
> ips outside the subnet? I know what a subnet is, but I'm not sure what
> your talking about there. I have to use ifconfig x.x.x to x.x.x which
> means that I need to set up an IP or... something.
>
> Thanks,
> Tyler Littlefield
> Web: tysdomain.com
> email: tyler at tysdomain.com
> My programs don't have bugs, they're called randomly added features.
>
> ----- Original Message -----
> From: "Kerry Hoath" <kerry at gotss.net>
> To: "Speakup is a screen review system for Linux."
> <speakup at braille.uwo.ca>
> Sent: Friday, May 15, 2009 9:29 AM
> Subject: Re: openvpn configuration
>
>
>> then apply my suggestions and get back to me with results. i've made a
>> number of suggestsions in the previous message but have had no feedback.
>> I'd suggest a routed vpn, dev tun, ips outside your subnet, get your
>> server to nat for the vpn.
>> regards, Kerry.
>>
>> ----- Original Message -----
>> From: "Tyler Littlefield" <tyler at tysdomain.com>
>> To: "Speakup is a screen review system for Linux."
>> <speakup at braille.uwo.ca>
>> Sent: Friday, May 15, 2009 9:51 PM
>> Subject: Re: openvpn configuration
>>
>>
>>>I don't mind you not debugging. I'd like to learn, basically I just want
>>>something that will route all network traffic through the vpn, for when
>>>I'm at other places, not just school.
>>>
>>> Thanks,
>>> Tyler Littlefield
>>> Web: tysdomain.com
>>> email: tyler at tysdomain.com
>>> My programs don't have bugs, they're called randomly added features.
>>>
>>> ----- Original Message -----
>>> From: "Kerry Hoath" <kerry at gotss.net>
>>> To: "Speakup is a screen review system for Linux."
>>> <speakup at braille.uwo.ca>
>>> Sent: Friday, May 15, 2009 6:38 AM
>>> Subject: Re: openvpn configuration
>>>
>>>
>>>> With a static key there is one client and one server, openvpn can not
>>>> handle more than one client per instance.
>>>> You'd need to launch one instance of openvpn for each client connecting
>>>> on a different port.
>>>>
>>>>
>>>> ip addresses must be outside your network for the vpn; if using a
>>>> routed vpn.
>>>> If using a bridge i'd assume you have bridged tap0 on your server to an
>>>> ethernet interface on your subnet as described in the bridging
>>>> mini-howto on the openvpn site.
>>>>
>>>> If you intend to bridge; handing out a default gateway to your client
>>>> pc isn't trivial.
>>>>
>>>> Perhaps you should consider getting your hands on the building vpn
>>>> networks with openvpn from pakt publishing book it is easy to follow.
>>>>
>>>> Also specifying what you exactly want to achieve in terms of vpns and
>>>> networks might allow people to give you more directed help.
>>>> I'm personally not debugging your config files but someone else might
>>>> be more kind; it's hints only.
>>>>
>>>> You must have either dev tap or dev tun on *both* ends of the
>>>> connection, you can not mix and match.
>>>> tun is routed, vpn ips outside your subnet with apropriate routing.
>>>>
>>>> dev tap is bridge, bridge the tap0 and eth0 interfaces making sure you
>>>> openvpn mktun the tap0 interface first.
>>>>
>>>> Regards, Kerry.
>>>>
>>>> ----- Original Message -----
>>>> From: "Tyler Littlefield" <tyler at tysdomain.com>
>>>> To: "Speakup is a screen review system for Linux."
>>>> <speakup at braille.uwo.ca>
>>>> Sent: Friday, May 15, 2009 7:22 PM
>>>> Subject: Re: openvpn configuration
>>>>
>>>>
>>>>> he static key shows ifconfig x.x.x.x to x.x.x.x, sounds like there
>>>>> isn't much handed out there...
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Tyler Littlefield
>>>>> Web: tysdomain.com
>>>>> email: tyler at tysdomain.com
>>>>> My programs don't have bugs, they're called randomly added features.
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Kerry Hoath" <kerry at gotss.net>
>>>>> To: "Speakup is a screen review system for Linux."
>>>>> <speakup at braille.uwo.ca>
>>>>> Sent: Thursday, May 14, 2009 10:34 PM
>>>>> Subject: Re: openvpn configuration
>>>>>
>>>>>
>>>>>> ip is handed out by openvpn from your server.
>>>>>> If you want the same ip every time then set that up on openvpn to do
>>>>>> that, see the static key mini howto on the subject.
>>>>>>
>>>>>> You should not need to use ifconfig on the client side to set ips on
>>>>>> tunnel let openvpn pull the necessary options from the server.
>>>>>> I use a routed vpn all the time and allways get the same ip from my
>>>>>> server vpn ip that is.
>>>>>> Regards, Kerry.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "Tyler Littlefield" <tyler at tysdomain.com>
>>>>>> To: "Speakup is a screen review system for Linux."
>>>>>> <speakup at braille.uwo.ca>
>>>>>> Sent: Friday, May 15, 2009 11:35 AM
>>>>>> Subject: Re: openvpn configuration
>>>>>>
>>>>>>
>>>>>>> It's fine. kids have exploits they run on the servers, but I'm not
>>>>>>> that stupid. vpn is a lot more um, quiet, so I doubt they'll care as
>>>>>>> much over the kids running exploits when they want to log to
>>>>>>> facebook. Not like I'm looking at porn, just want to be able to do
>>>>>>> research. Anything with phpbb is blocked, and I'm frequently reading
>>>>>>> articles.
>>>>>>> When I try to set up tun, I need to use ifconfig to set up the
>>>>>>> tunnel; I won't always have the same IP, though.
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Tyler Littlefield
>>>>>>> Web: tysdomain.com
>>>>>>> email: tyler at tysdomain.com
>>>>>>> My programs don't have bugs, they're called randomly added features.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>> From: "Kerry Hoath" <kerry at gotss.net>
>>>>>>> To: "Speakup is a screen review system for Linux."
>>>>>>> <speakup at braille.uwo.ca>
>>>>>>> Sent: Thursday, May 14, 2009 9:22 PM
>>>>>>> Subject: Re: openvpn configuration
>>>>>>>
>>>>>>>
>>>>>>>> Firstly:
>>>>>>>> understand the difference between tun and tap.
>>>>>>>> You must use the *same* on both ends, tun for routed vpn, tap for
>>>>>>>> bridged.
>>>>>>>>
>>>>>>>> decide whether you want routed or bridged and set up accordingly.
>>>>>>>> Info on openvpn.net on which is bbest, routed is more scalable and
>>>>>>>> there are tricks to hand out a default gateway on a bridged setup.
>>>>>>>>
>>>>>>>> these tricks may or may not work with Windows openvpn client see
>>>>>>>> faq files.
>>>>>>>>
>>>>>>>> I'd set up dev tun on both ends and make sure you can see the other
>>>>>>>> end of your tunnel.
>>>>>>>> Best to make connectivity work before you mess with default routes
>>>>>>>> etc.
>>>>>>>>
>>>>>>>> Is it worth noting here that you are probably violating policy by
>>>>>>>> punching holes through a firewall?
>>>>>>>> be aware in case admin comes down on you.
>>>>>>>>
>>>>>>>> Regards, Kerry.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>> From: "Tyler Littlefield" <tyler at tysdomain.com>
>>>>>>>> To: "Speakup is a screen review system for Linux."
>>>>>>>> <speakup at braille.uwo.ca>
>>>>>>>> Sent: Friday, May 15, 2009 3:08 AM
>>>>>>>> Subject: openvpn configuration
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hello list,
>>>>>>>>> I'm currently trying to get openvpn going. I have the port open,
>>>>>>>>> but it's not letting me forward all traffic through, for some
>>>>>>>>> reason. Any ideas? I've provided my configs below
>>>>>>>>> #server:
>>>>>>>>> dev tun
>>>>>>>>> secret static.key
>>>>>>>>> keepalive 10 60
>>>>>>>>> ping-timer-rem
>>>>>>>>> persist-tun
>>>>>>>>> persist-key
>>>>>>>>> user nobody
>>>>>>>>> group nobody
>>>>>>>>> daemon
>>>>>>>>> plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
>>>>>>>>> push "redirect-gateway def1"
>>>>>>>>> #client:
>>>>>>>>> dev tap
>>>>>>>>> remote tds-solutions.net
>>>>>>>>> secret C:/static.key
>>>>>>>>> keepalive 10 60
>>>>>>>>> ping-timer-rem
>>>>>>>>> persist-tun
>>>>>>>>> push "redirect-gateway def1"
>>>>>>>>> resolv-retry infinite
>>>>>>>>> nobind
>>>>>>>>> proto udp
>>>>>>>>> I want to be able to connect from multiple sources, so I used dev
>>>>>>>>> tap.
More information about the Speakup
mailing list