LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-26-2012, 10:10 AM   #1
Joaquim Almeida
LQ Newbie
 
Registered: Sep 2012
Posts: 7

Rep: Reputation: Disabled
Lightbulb [HOW-TO]: Build a VPN on a server with multiple NICs (and other goodies).


READ BEFORE CONTINUE
__________________________________________________


This topic will assume that you have a Red-Hat based distribution, at least 2 working NICs, you are root, you have forwarding enabled (net.ipv4.ip_forward=1), and basic knowledge of linux. If you do not recognize a command then first google man command; don't do without knowing.

This topic will help you (in a very basic manner) with:
  • openvpn (in tun mode)
  • iptables
This topic isn't meant to be straight forward; you can adapt it to your needs, even to other distributions.

__________________________________________________


Hi,

This is a continuation of this post.

The information was applied on a server running CentOS release 5.8 (Final) with Kernel Linux version 2.6.18-308.1.1.el5 (you can check your version by running these commands:
  • cat /etc/redhat-release
  • cat /proc/version
__________________________________________________

1. Synopsis:


Objective: Connect from Internet to Server and be able to reach anything within Subnet A and B (as if you were the PC inside Subnet B).

First, a schematic:
Code:
                        +---------------------+      +----------------------------------+
                        |      Subnet A       |      |            Subnet B              |
                        |---------------------|      |----------------------------------|
                        |                     |      |                                  |
                        |              +------|------|------+                           |
                        |              |      |Server|      |                           |
                        |              |------|------|------|                           |
                        |              |      |      |      |                           |
                        |              |  +--------------+  |                           |
                        |              |  |   |      |   |  |                           |
                        |              |  v   |      |   v  |                           |
                        | +--------+   |------|------|------|   +--------+   +----+     |
             Internet   | | Router |   | eth1 | ethN | eth0 |   | Switch |   | PC |     |
                        | +--------+   +------|------|------+   +--------+   +----+     |
                ^       |    ^  ^         ^   |      |  ^          ^  ^        ^        |
                |       +----|--|---------|---+      +--|----------|--|--------|--------+
                |            |  |         |             |          |  |        |
                |            |  |         |             |          |  |        |
                +------------+  +---------+             +----------+  +--------+
Router/Modem:
  • IP: 1.2.3.4
  • Mask: 255.255.255.0
  • Gateway: N/A
eth0 in Subnet B:
  • IP: 10.6.0.100
  • Mask: 255.255.0.0
  • Gateway: Special
eth1 in Subnet A:
  • IP: 1.2.3.100
  • Mask: 255.255.255.0
  • Gateway: Special
PC:
  • IP: 10.6.0.201
  • Mask: 255.255.0.0
  • Gateway: 10.6.0.100
Special:
With this typology, you should have something like the route table below:
Code:
Issue the command:
route

It displays:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
1.2.3.0         *               255.255.255.0   U     0      0        0 eth1
10.6.0.0        *               255.255.0.0     U     0      0        0 eth0
default         1.2.3.4         0.0.0.0         UG    0      0        0 eth1
__________________________________________________

2. Install and configure VPN Server:

In order to connect to the server from the Internet we need to install a VPN server, like OpenVPN. The fact of having good security and being open source makes it one of the best.

So, for the installation we run the next codes (as in ServerWorld). Note: The bridge-utils are only needed if you intend to create a bridge rather than routing. Ignore them if you prefer:
Code:
Install from EPEL
yum --enablerepo=epel -y install openvpn bridge-utils
If you don't have this repository then follow these instructions.

Afterwards, we need to configure our VPNserver:
Code:
Copy some files (press tab after pasting in order to appear your installed version of OpenVPN)
cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/

Edit some lines in /etc/openvpn/server.conf. You can even erase your serv.conf and copy&paste the below
vi /etc/openvpn/server.conf
server.conf
Code:
#It is recommended to change the default port, as a minor security protection.
port 41532
#Make it use UDP protocol as it becomes faster a less traceable.
proto udp
#Make it use routing mode.
dev tun
#Use certificates to authenticate
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
#Use Diffie–Hellman key exchange
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
#Define your Virtual Router Server IP (make it whatever IP you want, doesn't need to be in Subnet A or B. 
#In fact, I recommend to be in a different Subnet...
server 10.10.10.0 255.255.255.0
#Send to the VPNclient the routing parameters that he'll need to forward packets through VPN to a specific IP/Subnet.
#You can also push other directives like persist-key in order to the client activate that option 
#even if he doesn't have it in his CLIENTconfig
push "route 10.6.0.0 255.255.0.0"
#VPN ping-pong
keepalive 10 120
#Compression
comp-lzo
#Don't terminate connection if a renegotiation occurs.
persist-key
persist-tun
#Keep a log file
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
Type of verbosity
verb 3
Now, create the CA Certificate & Key:
Code:
Copy some files
cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa

Change directory and create folder
cd /etc/openvpn/easy-rsa
mkdir keys

Edit vars and change some lines Change the ones colored red.
vi vars

export KEY_COUNTRY="your country"
export KEY_PROVINCE="your province"
export KEY_CITY="your city"
export KEY_ORG="your organization"
export KEY_EMAIL="your e-mail"
Note: These keys are going to be the default values from now on

Exit vi and issue the next command
source ./vars

It will say
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

Issue the next 2 commands and proceed as stated. Change the ones colored red.
./clean-all
./build-ca

Generating a 1024 bit RSA private key
.................++++++
......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [your country]: »Press Enter«
State or Province Name (full name) [your province]: »Press Enter«
Locality Name (eg, city) [your city]: »Press Enter«
Organization Name (eg, company) [your organization]: »Press Enter«
Organizational Unit Name (eg, section) []: »Press Enter«
Common Name (eg, your name or your server's hostname) [your organization CA]: your domain name, like vpn.linuxquestions.org
Name []: server-ca
Email Address [your mail]: »Press Enter«
Create the Certificate & Key for Server:
Code:
Issue the command and proceed as stated Change the ones colored red.
./build-key-server server

Generating a 1024 bit RSA private key
........++++++
.......++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value, if you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [your country]: »Press Enter«
State or Province Name (full name) [your province]: »Press Enter«
Locality Name (eg, city) [your city]: »Press Enter«
Organization Name (eg, company) [your organization]: »Press Enter«
Organizational Unit Name (eg, section) []: »Press Enter«
Common Name (eg, your name or your server's hostname) [server]: your domain name, like vpn.linuxquestions.org
Name []: server
Email Address [your mail]: »Press Enter«
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: »Press Enter«
An optional company name []: »Press Enter«
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName          :PRINTABLE:'your country'
stateOrProvinceName  :PRINTABLE:'your province'
localityName         :PRINTABLE:'your city'
organizationName     :PRINTABLE:'your organization'
commonName           :PRINTABLE:'your domain name'
name                 :PRINTABLE:'server'
emailAddress         :IA5STRING:'your mail'
Certificate is to be certified until May 17 20:20:18 2021 GMT (3650 days)
Sign the certificate? [y/n]: »Press y«
1 out of 1 certificate requests certified, commit? [y/n] »Press y«
Write out database with 1 new entries 
Data Base Updated
Now, build the Diffie Hellman parameter:
Code:
Issue the next command
./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
And, to end this process, build the Certificate & Key for Client:
Code:
Issue the command Change the ones colored red.
./build-key-pass client

Generating a 1024 bit RSA private key
..................++++++
..................++++++
writing new private key to 'client.key'
Enter PEM pass phrase: Insert a password
Verifying - Enter PEM pass phrase: Repeat the password
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [your country]: »Press Enter«
State or Province Name (full name) [your province]: »Press Enter«
Locality Name (eg, city) [your city]: »Press Enter«
Organization Name (eg, company) [your organization]: »Press Enter«
Organizational Unit Name (eg, section) []: »Press Enter«
Common Name (eg, your name or your server's hostname) [client]:your domain name, like vpn.linuxquestions.org
Name []: client
Email Address [your mail]: »Press Enter«
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: »Press Enter«
An optional company name []: »Press Enter«
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName         :PRINTABLE:'your country'
stateOrProvinceName :PRINTABLE:'your province'
localityName        :PRINTABLE:'your city'
organizationName    :PRINTABLE:'your organization'
commonName          :PRINTABLE:'your domain name'
name                :PRINTABLE:'client'
emailAddress        :IA5STRING:'your mail'
Certificate is to be certified until May 17 20:33:28 2021 GMT (3650 days)
Sign the certificate? [y/n]: »Press y«
1 out of 1 certificate requests certified, commit? [y/n] »Press y«
Write out database with 1 new entries
Data Base Updated
Copy the next files located in /etc/openvpn/easy-rsa/keys/ to your client PC (for now, desktop will be fine):
  • ca.crt
  • client.crt
  • client.key
If you want to add more clients, repeat the Certificate & Key for Client process and copy the files mentioned above.

Warning: Don't overwrite the files in client PC unless you intend to because, as you repeat the above procedure, it will overwrite all client Certs/Keys in /etc/openvpn/easy-rsa/keys/ . That means server accepts 2 keys but you only have 1 of them...

__________________________________________________

3. iptables:


Warning: Working with iptables may cause your network (and even your system) to malfunction. It is recommended to make backup of your current configuration!
Issue the command: cp /etc/sysconfig/iptables /etc/sysconfig/iptables.BAK

Next, we need to change iptables in order to allow openvpn to work properly. I've been using a specific configuration which concentrate all chains into one (see an example here). If you have a "normal" configuration, you'll need to add in INPUT and FORWARD chain (for more information see OpenVPN Man Page in Firewall section).

I manage my iptables with vi but I'll put here the 2 versions for the ones that issue commands through console instead.
Careful with the state statement. If you do not use it you should remove it from the config below

Console version:
Code:
iptables -A RH-Firewall-1-INPUT -i tun0 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -i eth1 -m state --state NEW -m udp -p udp --dport 41532 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
Vi version:
Code:
Issue the command:
vi /etc/sysconfig/iptables

Adapt the red lines to your config:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -o eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i tun0 -j ACCEPT

# openvpn
-A RH-Firewall-1-INPUT -i eth1 -m state --state NEW -m udp -p udp --dport 41532 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
# For better security use the line below instead the one above
#-A RH-Firewall-1-INPUT -j DROP
COMMIT

*nat
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
Now, restart iptables, and check if all is good to proceed:
Code:
Issue the command:
service iptables restart
We're good to launch OpenVPN:
Code:
Issue 2 commands:
service openvpn restart
chkconfig openvpn on
__________________________________________________

4. Install and configure VPN Client:


I'm a big fan of portable applications so I'll use OpenVPN Portable client version for Windows below. If you prefer the normal one, download from Official OpenVPN download section.
They are pretty much the same, only with the portable difference (which is enough for me).

Paste the files you copied before to your desktop, into "..\OpenVPNPortable\data\config\".

Next, create a file named whatever-you-like.ovpn and paste the code below:
Code:
#What you are
client
#What type of VPN
dev tun
#What protocol
proto udp
#Here, you can test from inside Subnet A, 
#or from the Internet (if you already have port forwarded to Server in Router).
#In this example I'm inside Subnet A
#What "remote [space] IP [space] PORT" to connect
remote 1.2.3.4 41532
#How many tries to resolve
resolv-retry infinite
#Don't bind port to the client
nobind
#Don't terminate connection if a renegotiation occurs.
persist-key
persist-tun
#Use Certificates and Keys to authentication
ca ca.crt
cert client.crt
key client.key
#Use compression
comp-lzo
#Use verbosity
verb 3
All done. Now let's run OpenVPN with administrator permissions (as it needs to install a virtual NIC in order to proceed). Afterwards just connect, type in your Certificate/Key Password and you're inside (you can see some Screenshots in Serverworlds website, client section).

Try pinging you "server IP", "PC IP", "router IP", whatever...

__________________________________________________

5. Why routing (tun) and not bridging (tap) ?


I'll just point the major disadvantage of using bridging with a quotation taken from a good book about this theme - OpenVPN 2 Cookbook - ISBN 978-1-849510-10-3:
Quote:
However, there are also disadvantages to using bridging, especially in terms of performance: the performance of a bridged 100 Mbps Ethernet adapter is about half the performance of a non-bridged adapter.
This, in enterprise circumstances, is not acceptable (at least with this typology).

And by doing this tutorial, you'll be able to do the same as if you were bridged since you're connecting directly to a server with forwarding enabled. It's just like if you were the PC in schematic...

Hope it helps, glad to.
Joaquim Almeida
 
Old 09-27-2012, 08:33 AM   #2
Thor_2.0
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,190
Blog Entries: 23

Rep: Reputation: 278Reputation: 278Reputation: 278
If I may say: muito obrigado , I know , it's not English and according to the rules, non-english is not allowed, but I wanted to send a note of thanks...I kept this thread in file to find it back quickly.

Thor
 
  


Reply

Tags
bridge, internet, iptables, nic, vpn


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple Internet Connection Firewall/Router - 1 Server 4 NICs luke1_28 Linux - Networking 6 03-25-2010 07:06 AM
Squid Proxy Server Multiple Nics dansif Linux - Networking 6 11-28-2006 01:42 PM
Intel D845GLLY + Multiple Intel Pro 100 NICs + kernel 2.6.x = NICs don't work egable Linux - Hardware 0 02-04-2005 02:30 PM
DHCP server with multiple nics and subnets hawkpaul Linux - Networking 6 12-20-2001 07:32 AM
Multiple NICs Server Setup swa1 Linux - Software 2 07-26-2001 09:43 PM


All times are GMT -5. The time now is 10:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration