LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-07-2017, 07:02 PM   #1
nicedreams
Member
 
Registered: Jun 2003
Location: Phoenix, AZ
Posts: 112

Rep: Reputation: 17
Multiple VPN clients to VPN server Proxy for technical support using Pi.


I have been setting up a Raspberry Pi and Odroid devices as little NAS backup units for Windows Servers for some of my clients. I've been doing this with BTRFS and daily snapshots to help protect (recover) from Cryptoware and other issues. I've been using FreeFileSync to mirror files every night the Pi/Odroid external USB drive.

I setup collectd to send stats to a remote host (digitalocean) so I can SSH into digitalocean and run the HTTP server to see the collectd stats and manage the Pi/Odroid by reverse SSH.

I've been thinking about how to get more direct access to my client networks (making it easier) so I can do better monitoring using Zabbix and other programs or running RDP to servers without opening up the firewall in their routers.

I have an idea of setting up the Pi/Odroid devices to auto connect a VPN client to a VPN server (digitalocean) and I'm hoping from there I can connect to (digitalocean) from my office/home with the VPN and then access any of the remote client Pi/Odroid networks. I guess that's a hub and spoke design, without the spoke.

This is where I am losing myself as I think it will work, but I'm not sure if I'll get full access to the different business network subnets for doing RDP on multiple servers through the VPN or will I only have access to the remote Pi/Odroid since it's the one doing the VPN client connection.

Another thing is security, I'm thinking I would need firewall rules to make sure if I have 6 different businesses doing a client VPN to digitalocean and they can't see each other. I don't want a virus on one network coming through the VPN and infecting my other clients or my network. Or if someone steals the remote client Pi I don't want them being able to do anything from the Pi.

This is where I need help in figuring it out, OR is this even a good plan? Is there a better way to set this up?

Once I set this up I can run a Zabbix server and have Zabbix agents run through VPN so I don't have to configure remote Zabbix hub agent mini servers to send all that data back. VPN seems to eliminate needing that.

So many options with a VPN to make managing my clients easier and that's why I'm hoping this will work out.
 
Old 03-15-2017, 06:44 PM   #2
rhamel
Member
 
Registered: Sep 2009
Location: Caribbean
Distribution: Slackware 15.0, Proxmox 7.4-17, FreeBSD 13.2
Posts: 70

Rep: Reputation: Disabled
This is what I am running on my Pi for my VPN setup which seems to be similar to what you describe.
Code:
client
dev tap
log /etc/openvpn/logs/cumis
proto tcp
remote digitalocean-ip-address 1195
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ns-cert-type server
daemon
keepalive 10 120
comp-lzo
verb 3
float
This is the server side config file
Code:
port 1195
proto tcp
daemon
dev tap
ca   /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/my-server.crt
key  /etc/openvpn/keys/my-server.key
dh   /etc/openvpn/keys/dh2048.pem
client-config-dir     /etc/openvpn/ccd
server 10.26.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status status.log
log-append /etc/openvpn/logs/cumis
verb 3
management localhost 7505
The important thing is that this server config file has "client-to-client" enabled. This allows one client to connect to another client. If you don't want this, just remove that line from the server config file. Then, only the server can connect to the client and the clients won't be able to connect to one another. So, clients won't be able to see other clients, ie. no virus travelling along the VPN.

If a Pi is stolen, you'll need to revoke its certificate. There are tutorials on the net to do that.

If the Pi can see the RDP port on the local subnet, you should be able to use ssh to tunnel to the RDP port via the Pi. I don't know about Zabbix but Nagios can use ssh to check services running on another host on the same subnet using check_by_ssh. I'm assuming Zabbix will have something similar.

You can use the ProxyJump Pi-ip-address directive in your .ssh/config file to tunnel through the Pi to other hosts on th Pi's internal subnet. Wonderful stuff, ssh.
 
Old 03-24-2017, 11:07 AM   #3
nicedreams
Member
 
Registered: Jun 2003
Location: Phoenix, AZ
Posts: 112

Original Poster
Rep: Reputation: 17
Appreciate the reply. Going to try this out and post if I need more help.
 
Old 06-09-2017, 09:56 AM   #4
nicedreams
Member
 
Registered: Jun 2003
Location: Phoenix, AZ
Posts: 112

Original Poster
Rep: Reputation: 17
Finally got around to getting this finished and thank you very much for the config files. It has helped a lot.

My issue I have right now might be because the server is not behind NAT and is just public IP running UFW. I can connect create a VPN connection from a Pi to the DigitalOcean server, but I cannot access the network. When Pi connects I check status on server and it hands out 10.8.0.2 so I try 'ssh user@10.8.0.2' and nothing happens. Can't ping 10.8.0.2 either. I've played with the config on the server and client and can connect to VPN but can't use network.

I haven't done anything with IPTABLES yet and seems like I might need to bridge both subnets together (not a network engineer), but everything I read on line the server is behind NAT and my server isn't.

Any ideas what I should try to do?
 
Old 06-10-2017, 12:37 PM   #5
rhamel
Member
 
Registered: Sep 2009
Location: Caribbean
Distribution: Slackware 15.0, Proxmox 7.4-17, FreeBSD 13.2
Posts: 70

Rep: Reputation: Disabled
Even if you don't have a NAT, OpenVPN should still work.

Ok, on the OpenVPN server, if you used my config file, in which there is a line
Code:
management localhost 7505
which sets up an interface to the running openvpn process. You can access this interface using telnet on the Openvpn server, thusly
Code:
telnet localhost 7505
Then, type
Code:
status 3
You should see a list of clients that are connected to the Openvpn server. If your Pi is among them (look for 10.8.0.2), then the Pi is connected to the server.

You can also check the log which, again if you used my config file, is in the logs folder (you did make a logs folder, didn't you?). Whatever file appears in the logs folder on the Openvpn server, should have the conversation between the server and any clients that attempt to connect.

You can also have a log on the Pi, again in a logs folder (which you have to remember to create) BTW, the name 'cumis' can be changed to something else, like DigitalOcean, for example. I just happen to connect to a system called 'cumis', so I named it 'cumis', coz I have multiple VPNs and I lose track of which is which.

In the Pi's log, you're looking for a line like
Code:
Wed Jun  7 09:20:09 2017 Initialization Sequence Completed
Anyhow, either by the 'status 3' method or by reading the logs, you should be able to see if the Pi is connected. Also, you can try 'nmap --iflist' which lists all the network interfaces the Pi is connected to. If you see 10.8.0.2 there, then a connection has been established.

Now, why can't you ssh to the Pi?

Ok, try using 'ssh -v pi@10.8.0.2'. The '-v' option outputs all kinds of info which may indicate where your problem is. If it just hangs, without producing any output, then it simply can't find 10.8.0.2 and you have a routing problem.

Check if your routing table on the Pi looks like this :-
Code:
pi@raspberrypi ~ $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.100.1   0.0.0.0         UG    202    0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0
192.168.100.0   0.0.0.0         255.255.255.0   U     202    0        0 eth0
pi@raspberrypi ~ $
where 192.168.100.1 is replaced by the IP address of the router on the Pi's local area network.

From inside your Pi, you should be able to ping that local area network's router and if the vpn is up, the digitalocean vpn server at 10.8.0.1 as well. See if you can ping other IP addresses on the Pi's local area network as well.

If it does produce copious amounts of output, then you may have an authentication problem.

My Pi's sshd_config file looks like
Code:
root@raspberrypi:~# grep ^[^#] /etc/ssh/sshd_config 
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
root@raspberrypi:~#
You might want to check your /etc/ssh/sshd_config file against that.

Also, check that sshd is actually running on the Pi, by typing
Code:
ssh localhost
coz, you know, sometimes we forget to turn these things on. It's happened to me before. Not once, several times. I put it down to approaching senility.

Ok, now I haven't really had to resort to bridging networks together, mainly becoz once ssh is working, I use it to proxy through to anything behind the ssh server. Ssh is really good stuff. I keep finding more tricks it can do as time goes by.

I know I used to do rdesktop over ssh in a previous job. And rdesktop over openvpn is possible even on Windows using Remote Desktop Connection (or whatever they're calling it nowadays)

Script to tunnel RDP over ssh (once you get ssh working)
Code:
#!/bin/bash
killall ssh
ssh -f -N -P -L 3392:<ip-of-windows-machine-you-want-to-get-to>:3389 pi@10.8.0.2
rdesktop -f -u '' localhost:3392
Hope this helps.
 
Old 06-10-2017, 01:14 PM   #6
rhamel
Member
 
Registered: Sep 2009
Location: Caribbean
Distribution: Slackware 15.0, Proxmox 7.4-17, FreeBSD 13.2
Posts: 70

Rep: Reputation: Disabled
BTW, I wanted to ask you - what hardware are you connected to the Pi to store the backups. I bought some piece of crap hardware that died on me, so I'm looking for a better solution.

Yours sounds like it could do the trick.
 
Old 07-31-2017, 06:22 PM   #7
nicedreams
Member
 
Registered: Jun 2003
Location: Phoenix, AZ
Posts: 112

Original Poster
Rep: Reputation: 17
I have the VPN working out perfect for me now. Thanks for the info. I had to get it out of my head that SSH keys don't work the same way VPN certs work for multiple devices.

I was using full sized Western Digital external USB hard drives with wall power.

Past couple months I'm now using used PCs for backup/vpn management servers with internal random SATA drives. Debian with BTRFS and Samba for Windows file level backups. Have samba previous versions exposed to Windows.

The Raspberry Pi and Odroid devices just weren't reliable enough. Check next day and backup would still be running and couldn't access device from all the I/O going on. I'm blaming the USB2 for it. Want to try the Odroid XU4 and new Pine64 coming out that has USB3. I hear the Odroid XU4 runs super hot even at idle with it's octo-cores though.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Creating open vpn clients using server certificates vrs Linux - Networking 1 02-06-2014 06:23 AM
[SOLVED] Windows7 VPN clients behind Debian Gateway can not connect to Draytek VPN neopandid Linux - Server 3 08-31-2012 11:34 PM
Setting up a VPN to support OS X clients pwaring Linux - Networking 1 02-16-2008 08:32 AM
multiple ipsec vpn clients behind nat egarnel Linux - Networking 1 12-30-2005 05:18 PM
Multiple Windows PPTP Clients/Easy VPN Solution??? Tarantismic Yak Linux - Security 5 04-17-2003 01:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration