[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openvpn question

Ok. In case others besides Zenaan are interested, here is what I did
to get openvpn going, and to allow my laptop to get a public IP
address through openvpn from the /29 block of public addresses
allocated to me from my VPS provider. This setup works for my needs,
your mileage may vary as they say. Also, as Bob pointed out, there is
more than one way to do this, my way is by no means the only one, and
by no means probably the best way either. The way I did this was the most
obvious way for me to accomplish what I wanted to do from my point of
view, and I am satisfied with the result. My VPS is running debian
wheezy. My laptop is running windows 7 home premium with the latest
openvpn for windows installed from http://www.openvpn.net as of this
writing. I haven't tried this on a GNU/Linux client yet, but it should
all function the same way with a linux client as far as I know.

Ok, on the VPS I have the following configuration. In
/etc/sysctl.d/local.conf, I have:

net.ipv4.ip_forward = 1

In my /etc/network/interfaces, I have:

auto eth0:0
iface eth0:0 inet static
        address laptop_public_ip
        netmask 255.255.255.248

My firewall script is simply a bash script I wrote, which calls
iptables/ip6tables to do what they do. The relevant lines from that
script are:

# set policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
 
# input rules
iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i eth0:0 -j ACCEPT

# forward rules
iptables -A FORWARD -s public_subnet/29 -j ACCEPT
iptables -A FORWARD -d public_subnet/29 -j ACCEPT
iptables -A FORWARD -s 10.28.49.0/24 -j ACCEPT
iptables -A FORWARD -d 10.28.49.0/24 -j ACCEPT

# pre/postrouting
iptables -t nat -A PREROUTING --destination laptop_public_ip -j DNAT
--to-destination 10.28.49.253
iptables -t nat -A POSTROUTING -o eth0 --source 10.28.49.253 -j SNAT --to-source laptop_public_ip
 
# rules for incoming connections to accept
# openvpn
iptables -A INPUT -i eth0 -p tcp --dport 1194 -j ACCEPT


A few notes on the above are in order. My default OUTPUT policy is to
let all outbound connections through. You may want to restrict certain
outbound connections, tcp 25 comes to mind. I also allow all traffic
into the client machine. If the client machine isn't fully under your
control, or you simply don't trust it for whatever reason, you may
want to block some inbound connections on the in my case eth0:0
alias. Speaking of aliases, I wasn't sure how iptables would play with
alias interfaces, but it seems to do nicely. I could have done the
same thing by restricting connections on the client's public
destination address in the INPUT chain, and by restricting them on the
public source address in the OUTPUT chain. Finally, someone will
probably point out that my way of opening tcp port 1194 in the above
example is a bit awkward. You're right. What I actually do is define a
custom input chain, have all input on eth0 jump to that chain, and
accept what I want to accept once it comes into that custom chain.

Ok, now for the actual openvpn config. I modeled my
/etc/openvpn/server.conf file on the sample server.conf.gz file that
comes in debian's openvpn package, and I assume with openvpn
itself. Explanations of all the below options are in the openvpn man
page of course:

# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
port 1194
proto tcp-server
dev tap0
ca /etc/ssl/my/ca.crt
cert /etc/ssl/my/gregn.net.crt
key /etc/ssl/private/gregn.net.key
dh dh2048.pem
client-config-dir ccd
opt-verify
keepalive 10 120
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
server 10.28.49.0 255.255.255.0


A couple of notes. I don't need to create the tap0 device, openvpn
does that when it first starts. Since openvpn is only configured now
with one instance, and since nothing else on my VPS uses tap0, it's
fine for me to use dev tap0. You can instead use dev tap, but you will
need to adjust your firewalling to possibly deal with dynamic tap
devices. Using tap+ instead of tap0 with iptables should work here.
I originally started using tun devices with openvpn, and that
works fine as well. For the dh option, you will want to generate your
own dh parameters as described in the openvpn man page. You will also
of course need your own ssl certificates, either signed by you, or by
a real certifying authority.

In /etc/openvpn/ccd/laptop_common_name file, I have the following:

ifconfig-push 10.28.49.253 255.255.255.0
push "redirect-gateway def1 bypass-dhcp bypass-dns"
push "dhcp-option DNS dns_ip_one
push "dhcp-option DNS dns_ip_two

 
This allows the laptop to always get a static address from openvpn,
which is mapped in the firewall rules above to the laptop's public
address. If  a client connects whose certificate's common name doesn't
match a file in /etc/openvpn/ccd, that client will get a dynamic
address starting with 10.28.49.2 in this case.

Ok, we're done on the VPS side, so can now move to the laptop. The
config file I use on the laptop is modeled on the sample client.ovpn
that comes with the windows version of openvpn:

# for connecting to multi-client server.     #
client
dev tap
dev-node openvpn
proto tcp
remote vps_public_ip 1194
persist-key
persist-tun
;ns-cert-type server
verb 3
mute 20
cryptoapicert "THUMB:82 f7 ec a4 6c 1a 77 8d 10 a9 79 5d 45 55 e0 98
c7 b7 5e 19"
ca ca.crt


A few notes on this file. You will want to adjust the dev-node option
appropriately to match your setup, as described in the openvpn
documentation. You also don't need (and probably shouldn't use) the
dev-node option if the client is a linux box. You will also notice
that I have the ns-cert-type server line commented. I use my own
certifying authority to generate certificates, and feel that the
certificate revocation list on the VPS provides sufficient
security. You may want to adjust that option to match your own
setup/comfort level as far as security goes. The cryptoapicert option
is windows-specific, and uses a certificate already in windows'
certificate store. You will almost certainly want to use the cert
option on other platforms instead. If there is a way to get the
certifying authority from the windows certificate store rather than
from a file, I haven't found it.

That's it! That's my VPS and laptop configuration. If something in the
above isn't clear, or if there are other questions, I'll do my best to
answer them.

Greg


-- 
web site: http://www.gregn..net
gpg public key: http://www.gregn..net/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

--
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
Reply to: