Joining Networks with OpenVPN

Posted by Steve on Tue 19 Oct 2004 at 18:06

Small companies and homes are setup to use a dedicated Linux machine to act as a gateway, their bridge to the internet outside. Having a computer do the routing allows a lot more flexability than using a dedicated hardware router - for example the ability to join the network to another companies, or allow remote workers via a VPN solution.

A typical setup would look like the diagram below - several machines all connected to a switch, and a single machine which sits between them and the internet.

Simple network diagram

A VPN is a virtual private network, something that exposes your private internal network, the network space 192.168.0.xx in the diagram above, to something remote.

The remote thing could be another branch office, a person working from their home, or a road warrior who is a travelling user.

In the Linux world there are a lot of options when it comes to running a VPN server, such as:

  • PPTPD
  • tinc
  • openvpn

pptpd is the historically preferred option, as it is compatible with the VPN client included with Windows 98 and above. However it is not a terribly secure solution, and requires a patched Linux kernel to support encryption, and patched copies of pppd to work with it.

The patching process rules this out in a lot of cases, and the low security rules it out a lot more.

tinc is a good solution which works very well if all people involved in using it run the same version of the software. (Unfortunately the version of tinc contained in Debian's unstable archive is incompatible with the version in Debian's stable archive).

OpenVPN is a relatively recent VPN server which is stable, secure, and very simple to setup.

The two common operations for a VPN are setting up a static connection between two offices, or two companies, and setting up a server such that a user can connect remotely.

Both are very similar setups but to make the demonstration more interesting we will focus upon the former.

This setup will allow every machine on the internal network of one company to talk to every machine on the second companies internal network.

The requirements are only that the two gateway machines run Linux, and you have root access on both of them.

We will assume that the companies are:

Name            Company Foo, Inc           Company Bar, Inc
-------------------------------------------------------------
Internal LAN    192.168.0.0/24             10.0.0.0/24
External IP     gateway.foo.com            gateway.bar.com

Here we can see the gateways both have DNS entries for their external IP address (although IPs work just as well), and that the internal networks are different. (You can have overlapping ranges if you must, but it's a pain and NATing is involved. Ugh).

As both gateway machines are running Debian stable you will discover that openvpn isn't available - it's only in the unstable archive. This will be resolved as soon as Sarge is released, but in the meantime you will have to install a backport.

Add the following lines to your /etc/apt/apt.sources file:

# OpenVPN support for Woody
deb http://www.backports.org/debian/ woody openvpn

Now you can install the server, by running the following two commands as root:

apt-get update
apt-get install openvpn

After the package has been downloaded you will be prompted to see if you wish to create a TUN/TAP device. This is the device that all the traffic will be routed accross - so say Yes.

Repeat this process on the other gateway box and we're ready to actually configure the two halves to talk to each other.

The first thing to do is install the tun module, and make sure it is installed when the machine boots.

This can be done by running the following two commands, as root:

modprobe tun
echo 'tun' >> /etc/modules

Next we have to choose a pair of addresses for the private tunnel devices, these should be private addresses which aren't used for anything else.

To make it obvious that they are not local addresses I've chosen the endpoints as follows:

Name            Company Foo, Inc           Company Bar, Inc
-------------------------------------------------------------
Internal LAN    192.168.0.0/24             10.0.0.0/24
External IP     gateway.foo.com            gateway.bar.com
Tunnel Devices  10.99.99.1                 10.99.99.2

This is all the setup we need to do. Next we actually start the VPN deamons and point them at each other.

On the Foo, Inc gateway start the server and point it at the Bar, Inc gateway:

openvpn --remote gateway.bar.com --dev tun1 --ifconfig 10.99.99.1 10.99.99.2 --verb 9

On the other side do the process in reverse:

openvpn --remote foo.bar.com --dev tun1 --ifconfig 10.99.99.2 10.99.99.1 --verb 9

This should give you some diagnostic information, and setup a tunnel with a private address, 10.99.99.1 on gateway.foo.com, and 10.99.99.2 on gateway.bar.com.

Run ifconfig -a and you should see the new address on each machine.

The only thing to do next is setup routing.

As each gateway machine only knows about its internal LAN addresses (the machines in the 192.168.0.0 network, or the 10.0.0.0 network respectively) we need to tell the gateways how to get to the internal machines of the other company.

To setup routing on Foo's gateway we need to to tell it how to reach the 10.0.0.0 network on the other companies network.

Similarly we need to tell Bar's gateway how to reach the Foo internal network.

On gateway.foo.com:

route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.99.99.1

This tells it to reach 10.0.0.0 via the new device we've created which has the IP address 10.99.99.1.

Reverse the procedure on Bar's gateway:

route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.99.99.2

Now each gateway should be able to ping the others internal network.

We assume that IP forwarding is already enabled as the gateway machines are already running as gateway, but if not you will need to run these too:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i tun+ -j ACCEPT

Assuming that these Linux machines are the default gateways for each internal LAN machine then they should also all be able to talk to each other.

If this works create a simple script in /etc/init.d to contain the openvpn command and the route command - then make sure it runs at boot time.


Setting up a single remote machine to access the LAN is also a simple process - and many useful documents are available on the OpenVPN website.

 

 


Posted by Anonymous (81.215.xx.xx) on Thu 24 Feb 2005 at 22:23

How do you solve this problem:

Name Company Foo, Inc Company Bar, Inc
-------------------------------------------------------------
Internal LAN 10.0.0.0/8 10.0.0.0/8

i.e. the case both sides use the same thing -- say, an A class network.

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Fri 25 Feb 2005 at 13:04
[ View Steve's Scratchpad | View Weblogs ]

Persuading one side to renumber is the best solution, although it's likely to be difficult if both sides are an A class!

Failing that you could rewrite the addresses using ipchains at the gateways.

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by Anonymous (84.133.xx.xx) on Sun 20 Mar 2005 at 16:50
Pehaps switch to tinc?

The examples on tinc's website contain a scenario of a virtual private bridge.

[ Parent | Reply to this comment ]

Posted by Anonymous (84.194.xx.xx) on Wed 4 May 2005 at 07:52
You can also create a virtual bridge with OpenVPN. OpenVPN can do a lot more than what is described here ;-)
Check out http://openvpn.net/bridge.html for some details!!!

[ Parent | Reply to this comment ]

Posted by Anonymous (80.192.xx.xx) on Thu 21 Apr 2005 at 20:49
Ooh good stuff :)

Any chance of a 'Setting up OpenVPN for use with Windows road-warriors' ?

Cheers,
Gavin.

[ Parent | Reply to this comment ]

Posted by sleepygeek (66.224.xx.xx) on Thu 23 Jun 2005 at 15:07
Well this is a late reply (just found this site), but the answer to this question is absolutely yes.

One of the awesome things about OpenVPN is that it runs on Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Mac OSX, and yes Windows. So you can set up your VPN server (on Debian of course), install OpenVPN on your road warrior's Windows laptops, and VPN away.

There is a nice Windows gui complete with a Windows installer for OpenVPN by Mathias Sundman. His site is http://openvpn.se/

Just read the docs at the OpenVPN site, specifically the HOWTO for 2.0. It walks you through everything pretty well.

[ Parent | Reply to this comment ]

Posted by leto (82.232.xx.xx) on Sat 20 Aug 2005 at 15:10
to open an tun0 you have to : - install package : uml-utilities - run
tunctl -d tun0
for your firewall :
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

[ Parent | Reply to this comment ]

Posted by ajoian (86.106.xx.xx) on Tue 2 May 2006 at 22:07
I have a small question if in my network i already have public ip's and i want to use openvpn like an authentification machine , previous to the router's , could i do that having 86.x.x.x public ip's.
P.S. i dont want to use class C ip's and no DHCP

[ Parent | Reply to this comment ]

Posted by Nilshar (88.191.xx.xx) on Tue 26 Dec 2006 at 14:28
[ View Weblogs ]
When I start openvpn it says :

Tue Dec 26 15:24:52 2006 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext

How to setup encryption ? (well i'll search on openvpn website, but maybe it could be good to add it to this article ?

[ Parent | Reply to this comment ]

Posted by Anonymous (84.240.xx.xx) on Mon 24 Mar 2008 at 21:19
Yes how abput encryption, is it possible to use PSk keys or CA in such kinf of configuration. Thanks in advance.

P.S. This tutorial was very usefull for me.

[ Parent | Reply to this comment ]

Posted by Anonymous (125.162.xx.xx) on Fri 8 Oct 2010 at 05:23
I found using OpenVPN is secure and reliable to setup my internal use program running across the internet.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 331 votes ~ 1 comments )