Need a LINUX Networking Solution
Forgive me if this has already been discussed. I have no clue about debian, UNIX, or what the hell a root is. I need a simple user friendly solution that requires little to no maintenance and it all automated once set up correctly.
Here is my problem. I hold LAN Parties fairly often. Sometimes some players can't come out for whatever reason, but still would like to play from home, but some games do not allow for a direct connection (ie. StarCraft, WC3, etc.), but they do allow for a LAN connection, which is how we play. Here is what I want. I want a simple software solution (preferably a full OS package) that I could put on a separate computer to act strictly as the gateway and would allow incoming connections to connect directly to my LAN (after authentication). Windows best solution is Hamachi, but hamachi has to be on every single computer that anyone may play on for it to work, including local clients. This simply will not work, so I'm off to see what Linux has to offer. ALSO I prefer it has some sort of remote admin or web client. Here is what I plan on using as the server/gateway. Dell GX260 1.99GHZ P4 Processor 256 MB RAM Two NICS - 1 x 1000 Mbs (LANSIDE Connection) - 1 x 100 Mbs (WANSIDE Connection) I have looked at Smoothwall, Clark Connect, and a couple others, but because I'm a moron at Linux, I don't know what would be best. Please recommend something. Thanks. |
You need a bridged VPN solution, the best one I can think of is OpenVPN, it doesn't even need to be the gateway server, if your router or current gateway can do port forwarding. The issue I forsee is that it is not ultra-friendly, but it is also not ultra hard. To use OpenVPN you need to edit some text configuration files. The documentation from OpenVPN is very good on how to do so though. If you want to replace your current router or gateway you can look into Untangle which has the OpenVPN module (but I do not know if it can be setup in bridged mode with untangle) Or you would try to openVPN webmin module with webmin installed on your gateway. Or you could even try running the windows version or OpenVPN, though there is still text file editing.
But it is relatively easy to use here is roughly how you would go about it. Install openVPN on your VPN server Bridge a virtual TAP interface to one of the NICs (the LAN one if it is a gateway machine) Edit the server config file and set it for TAP interface bridged VPN mode, and whatever dhcp addresses you want handed out. Generate your SSL/TLS certificate of authority and other certs (including the ones for each user you want to connect) Edit the server config to use your new COA and Server cert copy the client config and edit it so that most of the heavy lifting is done for your friends Burn CDs for each friend that needs to connect by VPN with the Windows OpenVPN installer, the modified client configuration file that you edited and the SSL certificates that they need (each CD will have a unique cert as each person really needs their own) Have them install OpenVPN and place the certs in a directory on their HD and have them place the client config file in the appropriate place, then have them modify the client config file to point to wherever they stored their certs. Have them connect to you with their oenVPN GUI client that the openVPN installer for windows installed. This sounds harder and more complicated than it is. Total time (excluding the time it takes to generate the certs, which will vary based on machine horsepower, available resources, and how many bits the certs are) is maybe 30 minutes. This is installing the OpenVPN software on a machine with an OS all ready on it, and editing the config files, and probably even burning the CDs. Total time for friends to setup openVPN on their computers, less than 10 minutes. The reason you need a bridged VPN is because most games use ethernet broadcast layer to run LAN games. and most VPN solutions are on the IP layer,which is one above the Ethernet layer. So the LAN stuff for the games never makes it out to the internet past your router or gateway. What a bridged VPN does is actually work on the Ethernet layer and relays all the data that is broadcast, it simulates like the remote machine is plugged directly into a hub or switch on your network. |
Wow. I did fool around with OpenVPN a little bit, but gave up on it, because nobody was really talking about the windows version much, so I just figured it was a waste. I WILL DO THIS TODAY! Thank you so much. One more question. If I set up this as a VPN Server, then it doesnt have to be the gateway? It can just be connected to the switch? As long as my router is configured to allow the port forwarding it should be fine?
|
Yes port forwarding will do fine with it. It uses the https protocol aka SSL/TLS and can be configured to use whatever port you want, I think the default is 1194 though. So you setup a rule to forward https/SSL traffic on port 1194 to port ip.address.of.VPNServer port 1194 from your router. I have this configuration at the network in my office. I have a sonicwall coming off of our WAN router that goes to a specialized network with an openVPN server running behind the sonicwall with port forwarding turned on, it works well.
|
...then would local clients (sharing a switch with the server) have to go through the OpenVPN as well? I can't find a limit on how many concurrent clients you can have, is there one?
This is awesome by the way, I really think this is exactly what I wanted. |
It is limited by number of IP addresses in your LAN and Hardware on your server, though openVPN is not very resources intensive. And clients that are plugged directly into your switch cannot run the openvpn software while physically connected to your network it will cause all sorts of problems. Only those that are not at your house need to and should use the openvpn connection. anyone can have it installed, but don't use it to connect unless they are remotely trying to get in on the game. Note performance will also be limited by your bandwidth on the Internet connection.
|
Hey, I took your advice and I downloaded and printed the 40 page tutorial and followed it step by step. it is pretty good and definitive on how to do it, but I can not get the bridge to work, I know this is not the best forum for this topic, but you seemed knowledgeable about this item perhaps you can help me once more.
I am running this through windows and I have all my client certs and client configs and my CAs done etc. When I bridge the two interfaces (NIC and TAP) the TAP wont connect after I start the server, but if they are unbridged it connects fine, but it wont work because I need the bridged solution as you said before. maybe you can help me debug my server config file please. port 1194 proto udp #must be dev tap instead of dev tun for the bridge to operate dev tap ca "C:\\Program Files\\OpenVPN\\ca.crt" cert "C:\\Program Files\\OpenVPN\\server.crt" key "C:\\Program Files\\OpenVPN\\server.key" # This file should be kept secret dh "C:\\Program Files\\OpenVPN\\dh1024.pem" ifconfig-pool-persist ipp.txt #must be set for server-bridge in order to utilize bridge server-bridge 192.168.100.20 255.255.255.0 192.168.100.101 192.168.100.200 #Allows client-to-client communication inside VPN client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 |
Let me look this over when I have a few more minutes available and I will see if I can help you figure this one out
|
I haven't had a lot of time to go over this this but it appears that you are running it on a windows machine, one thing did you explicitly specify the Tap adapter that can cause some issues on windows. Let me attach my linux server config file and a client config file for that server that works and I will try to look into this closer tonight or tomorrow morning for you. But you can use the attached files to see if you see anything that strikes you. You will note in the windows client config that I explicitly named the tap device.
One other thing that popped into my head, once you have bridged the Ethernet adapter and the Tap device are they in promiscuous mode without an IP address with only the bridge obtaining an IP that could have something to do with it. server.conf Code:
################################################# Code:
############################################## One final thought before I leave you, just popped into my head, are you trying to test with a vpn connection form inside your LAN because that will blow things up you need to be external to the network you are connecting to seperated by a router. The office setup We have here for the openVPN server looks like this Code:
Internet----><WAN>JuniperRouter<LAN>---|--->Regular LAN 192.168.100.x |
Well after looking over the config here are a couple of things ( I may have mentioned them above too) Are you experienceing an IP conflict of some kind? I see that you have set aside 101-200 for ip addresses for clients, does you DHCP server pass out in the same range. If so you may want to consider doing DHCP passthrough and letting your LAN DHCP assign clients ip addresses or use a range that is not in use and not handed out by your LAN DHCP server.
Back to the explicitly naming a device you notice in my client config it says dev-node option in my case dev-node tap0 I named my Windows tap device tap0 (to conform to linux) I named the adapter name explicitly. When you say you have an issue what specifically is happening? Is the TAP adapter losing an IP address on the server when the server starts? This is to be expected. Because the Bridge should obtain an IP address and then when the server is running the tap device should be promiscuous on the server all VPN traffic gets sent to the bridge interface and the TAP device just listens in, when it detects VPN traffic it accepts it and uses it. Try turning on debugging level logging change the level 3 to level 6 and post the log of the server startup we can take a look at that. |
All times are GMT -5. The time now is 04:17 PM. |