Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello guys, I know there is few topics about this, but reading them, I couldn't use anything I'd understand, so creating new one.
I am going away from home and I'd like to access my home server like I'd be physicaly connected to my home network. Past 2 days I spent googling and setting up openVPN server on my home server, but I don't get much success so far. I must admit I don't understand everything around openVPN, so I came to ask you.
My goal:
Connect my laptop from outside of my home network to my home network using openVPN server installed on my home server and use home network resources, mainly samba shares and my home internet IP address. Also, is it possible to only get openVPN-server's public IP address, but use internet connection of the device connecting to it?
I've generated all keys and certificates, TLS not working yet, so I commented that out in server.conf, will make that working after I'll be able to get everything working the way I want.
I can connect to the server, and ping it from laptop, but DNS is not working, I can ping it only using it's IP address.
My home network:
DHCP server + DNS server 192.168.0.1 (router)
Home Server 192.168.0.200 (running Debian 7.0)
Laptop DHCP assigned (usually 192.168.0.14)
my server.conf:
Code:
port 443
proto udp
dev tun
ca ca.crt
cert myserver.crt
key myserver.key
dh dh1024.pem
#tls-server
#tls-auth ta.key 0
ifconfig-pool-persist ipp.txt
server 10.1.0.0 255.255.255.0
ifconfig 10.1.0.1 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "route 192.168.0.0 255.255.255.0 10.1.0.1"
client-config-dir ccd
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
client-to-client
push “route 192.168.1.0 255.255.255.0″
push “route 192.168.2.0 255.255.255.0″
keepalive 10 120
comp-lzo
persist-key
persist-tun
log /var/log/openvpn-server.log
status /var/log/openvpn-status.log
verb 6
If it looks messed up, it's because I followed multiple tutorials and I couldn't get any of them working, so I started to play with it and now I can at least connect, but that's about it.
You have a choice to make when setting up a VPN that seems to be poorly explained in the documentation. Do you want your remote laptop to be:
a) Bridged: looks like it is connected directly to your home network. Uses DHCP and DNS of the home net. All packets go through the tunnel and back out through the home gateway, so browsing will be slow. This is a layer 2 VPN and uses a "tap" interface on the server.
b) Routed: has two ports on the laptop. Those destined for the home network go through the VPN to a "tun" interface on the server, but you can route (layer 3) other traffic through the direct connection to the internet. This would make browsing faster, but doesn't give you the protection of going through your home server (and firewall). In this case, the laptop is NOT on the same subnet as the home network and will not see broadcast packets - so no DHCP, network neighborhood, browsing samba shares, home DNS, etc. You can still do most things by typing IP addresses or adding names+IPs to your hosts table.
so, if I understand, using the "tun" method I should be able to do those things I described in first post, but basically, I'll loose home DNS servicing but I need to add home machines to the hosts table (on laptop?) and everything is fine ...
or should I come back to ppptp? There, it was easy to configure range of "home" IP addresses and it "just" worked. My ISP at home is not blocking ppptp port (1173 I think it is? ... can't remember right now), and as it is "just" for my private use (thus 5 star security is not really needed), is there a big advantage of using openVPN over ppptp?
EDIT: I just went googling again and found this: http://openvpn.net/index.php/open-so...wto.html#scope
It's late night here, so my brain is not running full speed, but I reckon that's what I'm looking for, but I must admit that linux networking is my weak point so can you please have a quick look and tell me wheter I'm going the right direction?
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
I think you are missing something.
You set up a VPN server at home. In order to connect to that server you have to be able to reach it from outside your LAN. That is, reach it from the public internet.
You need the public IP address of your internet connection. I assume you have it because you said you were using pptp. If you don't have it, you have to find it (whatsmyip.com). If it is not fixed you need to rely on a service like dyndns.
Secondly, if you know your IP address you need to be sure your modem (which usually holds the firewall) forwards any incoming connection to your OpenVPN server. That is port 1194 which need to be forwarded through your firewall.
yes, I use no-ip.org to catch my dynamic public IP
also, I forwarded UDP 443 on my router to look at the openVPN server host and added iptables rule to allow tun traffic
what looks weird to me is, that if I ping 192.16.0.200 (openVPN server) - it's a success,but pinging 192.168.0.1 (router) returns all packets dropped. Also I can't browse internet with the current setup.
I think you didn't understand what I need help with. All I need is get someone to write those "route" and "push route" directives for my case. i.e: is this correct?
Code:
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "route 192.168.0.0 255.255.255.0 10.1.0.1"
I roughly understand that when I, say, ping a machine (192.168.0.15) on server's side network from outside using the VPN tunnel, the packet goes from my laptop (10.8.0.2) via the tunnel to the openVPN server (10.8.0.1 / 192.168.0.200-home network) and there the magic happens. Does the packet's destination IP translate to the server's side network? (192.168.0.15) Or do I need to somehow set up the router as well? When the machine on server's side network answers, where does the packet go? To the gateway? (router - 192.168.0.1) How does the gateway know that packet for 192.168.0.10 should be routed to 192.168.0.200 and that machine will know where to send it?
And this is what I don't understand - how exactly it works. And mainly, what do I put into server.conf to make it work that way?
----------------------------------------------------------------
EDIT: I played around with it now, and it still confuses me, this is server.conf I use now:
Code:
port 443
proto udp
dev tun
ca ca.crt
cert myserver.crt
key myserver.key
dh dh1024.pem
#tls-server
#tls-auth ta.key 0
ifconfig-pool-persist ipp.txt
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "route 192.168.0.0 255.255.255.0"
client-config-dir ccd
push "redirect-gateway def1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
log /var/log/openvpn-daemon.log
status /var/log/openvpn-status.log
verb 6
OK, I was reading some more about networking generally and understood that in order to run openVPN server on other machine than the gateway itself (in "tun" mode), one must set a static route for the virtual subnet on the gateway. Unfortunately, my router (BT Home Hub 3) doesn't have such option, so I give up for now and when I'll upgrade the router, then I'll try again. I know that I could turn my home server into DNS server, but it's not running 24/7 just yet and I don't have much free time to play around with it.
At least, I understand the concept of network routing and vpn now.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.