Re: VPN question

To: debian-isp@lists.debian.org
Subject: Re: VPN question
From: David Schmitt <david@schmitt.edv-bus.at>
Date: Tue, 3 May 2005 11:16:59 +0200
Message-id: <[🔎] 200505031116.59727@zion.black.co.at>
In-reply-to: <[🔎] B3DA1758-E3F0-431C-B90F-62F3B244D091@lists.privaterra.org>
References: <[🔎] 20050502133256.GA9956@annapolislinux.org> <[🔎] 200505021810.59256@zion.black.co.at> <[🔎] B3DA1758-E3F0-431C-B90F-62F3B244D091@lists.privaterra.org>

On Tuesday 03 May 2005 00:22, Robert Guerra wrote:
> Can you share your configuration and how you did it? I've been
> wanting to configure openswan for some time - and would settle with
> openvpn.

I converted my old x509 CA I used for IPSec and my SSL certificates to the 
format used by the easy RSA scripts. This mostly involved copying them around 
to new locations and reconfiguring easy-rsa/vars and easy-rsa/openssl.cnf.

A little word about my setup: at the main office, my client has two class C 
networks and most workstations in 10.0.0.0/8. The objective was to connect 
branch offices to the central location so they can use parts of this address 
space as needed as well as integrate road warriors into our net so they can 
use source IP restricted services as if they were in the main office. We have 
Windows and OS X road warriors.

The central VPN terminator is called (very creativly) "vpn", the server at the 
branch "diode" which should serve 10.10.7.0/24 to its clients.

-----------------------------------------------------------------------
vpn:/etc/openvpn/diode.conf:
# act as tun server
mode server
tls-server
dev tun

# local networking setup
local vpn.example.com
proto udp
port 1195 # Use non-standard port to avoid conflict with vpn.conf

# remote networking setup
ifconfig 10.81.6.1 10.10.7.1
# capture traffic to diode
route 10.10.7.0 255.255.255.0
# contains the iroute to diode: iroute 10.10.7.0 255.255.255.0
client-config-dir ccd

# management and key config snipped

-----------------------------------------------------------------------
diode:/etc/openvpn/office.conf:
# act as client
tls-client
dev tun

# server
remote vpn.example.com 1195
proto udp

# routing setup 
ifconfig 10.10.7.1 10.81.6.1
# route to vpn.example.com outside the tunnel
route remote_host 255.255.255.255 net_gateway
# route the rest of main office through the tunnel
route 10.0.0.0 255.0.0.0
route x.y.z.0 255.255.255.0
route a.b.c.0 255.255.255.0

# management and key config snipped

-----------------------------------------------------------------------
vpn:/etc/openvpn/vpn.conf
# act as tap server
dev tap0
mode server
tls-server

# local networking setup
local vpn.example.com
proto udp
port 1194

# remote setup
push "route-gateway 10.81.6.1"
push "route-delay 10 30"
push "redirect-gateway"

# management and key config snipped

-----------------------------------------------------------------------

tap0 is statically configured to 10.81.6.1, with a DHCPd listening to provide 
IPs to the rowad warriors. 

The Road warrior clients are configured with the respective GUIs which you can 
find on openvpn.net. The only exception was the need to add a up script to 
the OS X clients, to enable DHCP on the tap interface:

up "ifconfig tap0 up; ipconfig set tap0 DHCP; echo"

Regards, David

-- 
- hallo... wie gehts heute?
- *hust* gut *rotz* *keuch*
- gott sei dank kommunizieren wir über ein septisches medium ;)
 -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15

Reply to:

References:
- VPN question
  - From: Theodore Knab <tjk@annapolislinux.org>
- Re: VPN question
  - From: David Schmitt <david@schmitt.edv-bus.at>
- Re: VPN question
  - From: Robert Guerra <rguerra@lists.privaterra.org>

Prev by Date: Re: Install debian woody on HP 380 DL Proliant G4
Next by Date: Re: Install debian woody on HP 380 DL Proliant G4
Previous by thread: Re: VPN question
Next by thread: Re: Install debian woody on HP 380 DL Proliant G4
Index(es):
- Date
- Thread