Joining Networks with OpenVPN
Posted by Steve on Tue 19 Oct 2004 at 18:06
Small companies and homes are setup to use a dedicated Linux machine to act as a gateway, their bridge to the internet outside. Having a computer do the routing allows a lot more flexability than using a dedicated hardware router - for example the ability to join the network to another companies, or allow remote workers via a VPN solution.
A typical setup would look like the diagram below - several machines all connected to a switch, and a single machine which sits between them and the internet.
A VPN is a virtual private network, something that exposes your private internal network, the network space 192.168.0.xx in the diagram above, to something remote.
The remote thing could be another branch office, a person working from their home, or a road warrior who is a travelling user.
In the Linux world there are a lot of options when it comes to running a VPN server, such as:
pptpd is the historically preferred option, as it is compatible with the VPN client included with Windows 98 and above. However it is not a terribly secure solution, and requires a patched Linux kernel to support encryption, and patched copies of pppd to work with it.
The patching process rules this out in a lot of cases, and the low security rules it out a lot more.
tinc is a good solution which works very well if all people involved in using it run the same version of the software. (Unfortunately the version of tinc contained in Debian's unstable archive is incompatible with the version in Debian's stable archive).
OpenVPN is a relatively recent VPN server which is stable, secure, and very simple to setup.
The two common operations for a VPN are setting up a static connection between two offices, or two companies, and setting up a server such that a user can connect remotely.
Both are very similar setups but to make the demonstration more interesting we will focus upon the former.
This setup will allow every machine on the internal network of one company to talk to every machine on the second companies internal network.
The requirements are only that the two gateway machines run Linux, and you have root access on both of them.
We will assume that the companies are:
Name Company Foo, Inc Company Bar, Inc ------------------------------------------------------------- Internal LAN 192.168.0.0/24 10.0.0.0/24 External IP gateway.foo.com gateway.bar.com
Here we can see the gateways both have DNS entries for their external IP address (although IPs work just as well), and that the internal networks are different. (You can have overlapping ranges if you must, but it's a pain and NATing is involved. Ugh).
As both gateway machines are running Debian stable you will discover that openvpn isn't available - it's only in the unstable archive. This will be resolved as soon as Sarge is released, but in the meantime you will have to install a backport.
Add the following lines to your /etc/apt/apt.sources file:
# OpenVPN support for Woody deb http://www.backports.org/debian/ woody openvpn
Now you can install the server, by running the following two commands as root:
apt-get update apt-get install openvpn
After the package has been downloaded you will be prompted to see if you wish to create a TUN/TAP device. This is the device that all the traffic will be routed accross - so say Yes.
Repeat this process on the other gateway box and we're ready to actually configure the two halves to talk to each other.
The first thing to do is install the tun module, and make sure it is installed when the machine boots.
This can be done by running the following two commands, as root:
modprobe tun echo 'tun' >> /etc/modules
Next we have to choose a pair of addresses for the private tunnel devices, these should be private addresses which aren't used for anything else.
To make it obvious that they are not local addresses I've chosen the endpoints as follows:
Name Company Foo, Inc Company Bar, Inc ------------------------------------------------------------- Internal LAN 192.168.0.0/24 10.0.0.0/24 External IP gateway.foo.com gateway.bar.com Tunnel Devices 10.99.99.1 10.99.99.2
This is all the setup we need to do. Next we actually start the VPN deamons and point them at each other.
On the Foo, Inc gateway start the server and point it at the Bar, Inc gateway:
openvpn --remote gateway.bar.com --dev tun1 --ifconfig 10.99.99.1 10.99.99.2 --verb 9
On the other side do the process in reverse:
openvpn --remote foo.bar.com --dev tun1 --ifconfig 10.99.99.2 10.99.99.1 --verb 9
This should give you some diagnostic information, and setup a tunnel with a private address, 10.99.99.1 on gateway.foo.com, and 10.99.99.2 on gateway.bar.com.
Run ifconfig -a and you should see the new address on each machine.
The only thing to do next is setup routing.
As each gateway machine only knows about its internal LAN addresses (the machines in the 192.168.0.0 network, or the 10.0.0.0 network respectively) we need to tell the gateways how to get to the internal machines of the other company.
To setup routing on Foo's gateway we need to to tell it how to reach the 10.0.0.0 network on the other companies network.
Similarly we need to tell Bar's gateway how to reach the Foo internal network.
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.99.99.1
This tells it to reach 10.0.0.0 via the new device we've created which has the IP address 10.99.99.1.
Reverse the procedure on Bar's gateway:
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.99.99.2
Now each gateway should be able to ping the others internal network.
We assume that IP forwarding is already enabled as the gateway machines are already running as gateway, but if not you will need to run these too:
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A FORWARD -i tun+ -j ACCEPT
Assuming that these Linux machines are the default gateways for each internal LAN machine then they should also all be able to talk to each other.
If this works create a simple script in /etc/init.d to contain the openvpn command and the route command - then make sure it runs at boot time.
Setting up a single remote machine to access the LAN is also a simple process - and many useful documents are available on the OpenVPN website.