LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-22-2017, 12:58 PM   #1
KMCarpenter
Member
 
Registered: Mar 2017
Posts: 64

Rep: Reputation: Disabled
Setting up a VPN


Hello. I would like to setup a VPN server on my network so I can connect remotely. Can this be done outside the router? I looked into a 3rd party firmware for my cheap router but the model is questionable (Belkin F9K1102 v3).

For some reason the port forwarding doesn't work on this router either... everything inforward just ends up pointed to the router (192.168.2.1)

Any help would be appreciated! Thanks.
 
Old 03-22-2017, 03:01 PM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 16,093

Rep: Reputation: 2301Reputation: 2301Reputation: 2301Reputation: 2301Reputation: 2301Reputation: 2301Reputation: 2301Reputation: 2301Reputation: 2301Reputation: 2301Reputation: 2301
Is there facility on that router for a DMZ?
 
Old 03-22-2017, 03:03 PM   #3
KMCarpenter
Member
 
Registered: Mar 2017
Posts: 64

Original Poster
Rep: Reputation: Disabled
Yes there is... but that also does not work.
 
Old 03-22-2017, 03:48 PM   #4
mostlyharmless
Senior Member
 
Registered: Jan 2008
Distribution: Arch/Manjaro, might try Slackware again
Posts: 1,851
Blog Entries: 14

Rep: Reputation: 284Reputation: 284Reputation: 284
You could make the VPN host the gateway of your network and ditch the router, though obviously the machine would have to be on all the time... but that was probably the plan as a VPN anyway. You'd have to harden the machine and setup the firewall too, since you wouldn't be protected by the router. If your machine has only one ethernet port you'll need at least one additional ethernet port (e.g. have to get a pci card) to pass the network on, and you could use the old router as a switch/wireless AP. Or you could get a new router!
 
Old 03-22-2017, 03:50 PM   #5
KMCarpenter
Member
 
Registered: Mar 2017
Posts: 64

Original Poster
Rep: Reputation: Disabled
Maybe I better setup a pfSense box? Lol
 
Old 03-22-2017, 09:03 PM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,599
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
Honestly, I'd go down to the office-supply store and buy yourself a new router!

You need port-forwarding, so that incoming traffic on UDP Port 1192 (or whatever port-number you choose) is delivered to the proper computer.

You also need static routes, because there will be packets flying around your network with IP-addresses such as 10.8.0.x, representing traffic generated by remote directly-connected users. And, if there are remote subnets, packets bearing those addresses will be flying around, too. Your router must static-route those packets back to the OpenVPN machine as a gateway, so that they can be returned to the other side.

Any garden-variety (cheap!) router will do the job nicely, as long as it provides these two features. It is my frank opinion that your old router might have a whole new life as a bookend.

- - -

I've written several lengthy forum-posts here on the subject of OpenVPN, as have several others. Please feel free to post questions here.

Although, like any crypto technology, it takes some time to set up and to get to know , OpenVPN is a very cool technology. When properly set up with digital certificates – ("bad dog! no PSKs!") – and tls-auth, it provides a secure TCP/IP router that cannot be detected(!) from the outside. Authorized users pass easily through, and 100% of their communications through the tunnel are secured. Everyone else is left staring at ... nothing at all.

(I long ago gave up on IPSec ... "why bother?" Those raccoons can just go play in the woods.)

How many "unauthorized access attempts" do we get on our systems? Zero. The outer-layer gantlet is both invisible(!) and impenetrable. No one can get far enough to reach, let alone challenge, the second portcullis.

. . . and yet, to authorized users, who bear the proper (non-revoked ...) certificates, "it's as though it wasn't even there." The IP-addresses on the other side are just as immediately accessible, from their point of view, as is anything on their local network. To them, OpenVPN behaves "just like any other router." The encryption is entirely unobtrusive.

Last edited by sundialsvcs; 03-22-2017 at 09:22 PM.
 
Old 03-22-2017, 09:12 PM   #7
KMCarpenter
Member
 
Registered: Mar 2017
Posts: 64

Original Poster
Rep: Reputation: Disabled
Thanks for the reply, I really appreciate it... would it be wise for me to purchase a VPS and learn on that before I deploy it in my live network?
 
Old 03-23-2017, 08:38 AM   #8
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,599
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
Quote:
Originally Posted by KMCarpenter View Post
Thanks for the reply, I really appreciate it... would it be wise for me to purchase a VPS and learn on that before I deploy it in my live network?
You could, for example at home, set up a VPN on your box (after buying a new cheap router!), and confirm that you can connect to it at work. Or, yes, you could use a VPS for that purpose, although it's likely that you'll be doing some actual-hardware configuring when you deploy the thing in real life.

Remember that the OpenVPN process does not have to be "at the front door," and it does not have to be located on "the machine that you use." (In fact, you should purposely explore both use-cases, because when you are connecting directly you have a 10.8.0.x address, whereas, if you are connecting through an OpenVPN-router located somewhere else, you do not.)

Really, the most difficult thing about setting up OpenVPN for the first time is getting the routing straight everywhere. Fundamentally, it is a "standard 'I have a router leading to a remote subnet' situation," but many of us don't normally operate in a network that uses multiple routers at all.

(I wrote a fairly lengthy forum-post on just that topic here, but I'm too lazy to look it up.)

The other s are actually mostly just annoyances: by design, a crypto system will not tell the supplicant anything about why a connection attempt didn't succeed ... until, and if, it does. And, while OpenVPN does fairly-spew into its server-side logs, it can still be difficult to grok what's going on until you've done it a few times. (And, unlike ipsec, you're not dealing with stuff that's wedged into the kernel: all of OpenVPN, other than the very insignificant virtual-tap/tunnel-device wedge that only serves to get data in and out, lives entirely in user-land. Every OpenVPN participant is basically "the same bit of all-user-land software, talking to another copy of itself.")

So, get that "old" machine out of your closet, attach it to your home network, and start experimenting.

And ... "ask, ask, ask" right here.

Last edited by sundialsvcs; 03-23-2017 at 08:46 AM.
 
Old 03-24-2017, 10:46 AM   #9
mostlyharmless
Senior Member
 
Registered: Jan 2008
Distribution: Arch/Manjaro, might try Slackware again
Posts: 1,851
Blog Entries: 14

Rep: Reputation: 284Reputation: 284Reputation: 284
There's a fairly easy and explicit tutorial for setting up OpenVPN on Ubuntu available in the March 2017 issue of MaximumPC. It is trivial to adapt to the distro of your choice.
 
Old 03-24-2017, 01:43 PM   #10
KMCarpenter
Member
 
Registered: Mar 2017
Posts: 64

Original Poster
Rep: Reputation: Disabled
The reason I chose FreeBSD is because I plan to deploy this in pfSense after I learn to use it... and pfSense is based on FreeBSD
 
Old 03-24-2017, 02:22 PM   #11
nicedreams
Member
 
Registered: Jun 2003
Location: Phoenix, AZ
Posts: 112

Rep: Reputation: 17
For a very easy VPN server setup you can use a Raspberry Pi. I use the Quad-core RaspberryPi 3 to run 50+ users on a VPN connection and works flawless. Haven't tested the bandwidth but no one has complained yet.

https://github.com/Nyr/openvpn-install

This script from github makes installing and managing OpenVPN too easy.

Install Windows OpenVPN client and put VPN certificate in folder and you're good to go on client side.

Mentioning this because it's a very quick setup and works very well as a stand alone product.
 
Old 03-24-2017, 10:16 PM   #12
KMCarpenter
Member
 
Registered: Mar 2017
Posts: 64

Original Poster
Rep: Reputation: Disabled
Awesome!! I'm going to give this a try on Monday. Much appreciated. Thanks for all the responses to this thread.
 
Old 03-24-2017, 10:18 PM   #13
KMCarpenter
Member
 
Registered: Mar 2017
Posts: 64

Original Poster
Rep: Reputation: Disabled
This may be a stupid question... but I'm going to ask it anyways. Does openVPN assign an IP or do I need to setup DHCP?
 
Old 03-26-2017, 10:50 AM   #14
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,599
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
The answer is "no," and here's why.
  • OpenVPN runs as an ordinary user-land program on the host computer. It sends and receives its encrypted traffic through [any one of ...] the host's network adapters, therefore at the host's IP-address. It neither knows nor cares how that IP-address was established, by DHCP or otherwise.
    • For external routing purposes, OpenVPN machine's own external IP-address always refers to "the OpenVPN process that is running on that machine," and the packets which depart and arrive there are encrypted.
    • Meanwhile, OpenVPN will assign addresses (usually ...) in the 10.8.0.x address-range for all connected servers and clients. These addresses are used for them to talk among themselves. DHCP has no part in this subnet: these IP-addresses are strictly virtual, are assigned by OpenVPN itself, and are always routed through a tunX (or tapX) virtual device.

And so:
  • If you connect directly to an OpenVPN server using an OpenVPN client on your computer, you will have an IP-address (or two) on the 10.8.0.x subnet, and the traffic that you send will appear to come from that IP-address, no matter where your packets wind up. (Your own external IP-address is being used by OpenVPN to send and receive encrypted packets.)
  • On the other hand, if you were a user on your local subnet, merely using another OpenVPN machine "as a router" and not running a client yourself, your traffic will carry your IP-address within that subnet – whatever it might be, and however it might be established ("DHCP or otherwise ... ditto"). This, of course, is the case when you are using any sort of "router."

- - - -

Most importantly (and this unrelated to DHCP ...), remember that every subnet will encounter, at minimum, packets bearing the 10.8.0.x address range. It will also encounter packets bearing the IP-address ranges used by all accessible remote subnets. OpenVPN will handle this for any machine upon which it is running, but every subnet must contain sufficient routing provisions – either through route commands on on individual machines or through static routes in the local router – to cause these address-ranges to be delivered to the local OpenVPN server "as a gateway" so that it can serve as a TCP/IP router for all of them.

(And, again, this is the case for any sort of "router," except for the additional presence of the 10.8.0.x subnet.)

- - - - -

The IP-address range "10.8.0.x" is established in the OpenVPN configuration files. This particular address-range, like the use of "UDP" port "#1192" for external communications, is merely customary.

Last edited by sundialsvcs; 03-26-2017 at 11:08 AM.
 
Old 03-27-2017, 05:03 AM   #15
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 2,141

Rep: Reputation: 447Reputation: 447Reputation: 447Reputation: 447Reputation: 447
What is the model of the router?

Have you check the user manual?

What sort of router is it, if it doesn't support port forwarding. How are you able to browse the internet?

Port 80 by default in any router is open and if you're network is behind NAT then port forwarding is being done by the router.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up VPN access nbcohen Linux - Security 1 10-08-2010 04:31 AM
Setting up IPSec VPN? miscreant Linux - Networking 2 06-14-2010 09:49 PM
New to setting up a VPN connection anthonysaulnier Linux - Networking 6 11-08-2008 02:18 PM
setting a vpn rich_montana Linux - Networking 3 03-29-2006 12:53 AM
Setting up a VPn Drone1 Linux - Networking 3 01-21-2005 07:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration