Connecting to office network using OpenVPN tunnel
Posted by bigmyx on Fri 19 Jan 2007 at 10:47
I wrote this article because I think that it will be useful for the people that are using Debian GNU/Linux as their home desktop and want to connect to the corporate LAN protected by CheckPoint VNP-1/NG VPN server.
I got SSH access to one of the Linux servers on DMZ used SSH port forwarding to forward SMTP and some other traffic via SSH. That was perfect until I was required to access more machines inside our corporate LAN and continue to use this solution become painful for me.
With OpenVPN I got all this working without any troubles and now I have access to all machines inside my office.
You will need a Linux machine inside your corporate LAN that that will act as a client and will initiate the VPN connection to your home Linux machine that will act as a server. The connection will be passed through UDP 2746 port that is used by CheckPoint and usually opened for outbound connections from your corporate LAN.
As for this article, there is official How-To that I used while creating it, but finally I wanted to create something that is proven by personal experience and kept as simple as it is possible.
- Basic Linux knowledge
- Two Linux machines with tun/tap device support in their Kernels one is the server and another is the client.
- Dedicated internet IP address of your home internet connection (you probably will not have one) or DynDNS.org (or any other dynamic DNS) account.
Setting up the server:
First install the packages:
apt-get install openvpn ipcheck
NOTE - I used ipcheck for dynamic DNS update, I will not cover usage of that here since it is not related to the VPN procedure and it is pretty easy to use.
Create configuration file for the server in /etc/openvpn/server.conf:
port 2746 proto udp dev tap ;dev-node tap0 ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 10.10.10.0 255.255.255.0 # vpn subnet ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" # home subnet ;duplicate-cn keepalive 10 120 ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES comp-lzo user nobody group nobody persist-key persist-tun ;status openvpn-status.log ;log-append openvpn.log verb 10 mute 20 client-to-client client-config-dir ccd "route 188.8.131.52 255.255.0.0"
The next steps will be performed by preset configuration scripts that are part of OpenVPN installation and located in /usr/share/doc/openvpn/examples/easy-rsa directory.
Generate the CA:
cd /usr/share/doc/openvpn/examples/easy-rsa . ./vars ./clean-all ./build-ca
The last command will build the certificate authority certificate and key by invoking the interactive openssl command.
Generate certificates & keys for server:
Generate certificates & keys for client:
Make sure to type the appropriate Common Name when prompted, i.e. "client1"
Generate Diffie Hellman parameters
Place the following files in the /etc/openvpn directory on the server :
ca.crt server.crt dh1024.pem server.key - Note: This file should be kept secret!!
Create client IP addresses list file ipp.txt:
client,10.10.10.2Setting up the client:
Install the package:
apt-get install openvpn
Create the configuration file for the client /etc/openvpn/client.conf.
remote your.ddns.host 2746 client dev tap proto udp resolv-retry infinite # this is necessary for DynDNS nobind user nobody group nobody persist-key persist-tun ca ca.crt cert client.crt key client.key comp-lzo verb 4 mute 20
Copy the following files from the server to /etc/openvpn/ on the client machine :
ca.crt client1.crt client1.keyStarting the server and client
It's best to initially start the OpenVPN server from the command line, rather than start it as a daemon or service for the first time :
Use the same command to start the client. As the normal output you should see something like that:
OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005 Diffie-Hellman initialized with 1024 bit key TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] 2005 TUN/TAP device tun1 opened /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ] UDPv4 link local (bound): [undef]:1194 UDPv4 link remote: [undef] MULTI: multi_init called, r=256 v=256 IFCONFIG POOL: base=10.8.0.4 size=62 IFCONFIG POOL LIST 2005 Initialization Sequence Completed
After ensuring that all the parts are working and you able to initiate the connection you may safely use the init script that comes with the OpenVPN package installation, the init script will scan for .conf configuration files in /etc/openvpn, and if found, will start up a separate OpenVPN daemon for each file.
NOTE - The cute part is that you can setup VPN dedicated server at your corporate LAN that will initiate connections to multiple servers!Post configuration actions:
After installing server and client I found my self only able to connect to the corporate LAN machine it self and not able to PING any host inside the network. Two commands (one for server and one for client) resolved the issue:
route add -net 184.108.40.206 netmask 255.255.0.0 gw 10.10.10.2
(10.10.10.2 is the IP address of tap0 on the remote end.)
iptables -t nat -A POSTROUTING -s 10.10.10.1 -d 220.127.116.11/16 -j SNAT --to 18.104.22.168 echo "net.ipv4.conf.default.forwarding=1" >> /etc/sysctl.conf sysctl -p
22.214.171.124 is the IP address of eth0 on the local machine.
10.10.10.1 is the IP address of tap0 on the remote (home) machine.References: