LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-31-2012, 09:55 PM   #1
sysman
LQ Newbie
 
Registered: Dec 2005
Posts: 11

Rep: Reputation: 0
Setting up openVPN for a LAN


I am looking for a free/cheep vpn server for the LAN in our community.

Our setup is a bit more complex than most, I would say. All traffic to the outside wall passes through our firewall (made by Juniper), so we have one leg facing outwards. We have another leg for our web servers (dmz) and several internal legs for different parts of our network eg one for homes, one for offices and one for a factory. I am interested in forming a vpn with the offices section.

WWW <---> FIREWALL |<---> DMZ [ fixed ip]
...................|<---> Homes [ dhcp ]
...................|<---> Offices [ fixed ip ]
...................|<---> Factories [ fixed ip ]

(sorry about the dots, but I couldnt format it any other way)
I also have at my command an array of external IP addresses and can use one of these to connect directly through the fire wall (with/without a password) to any machine on the LAN.

As the administrator, I envisage being able to log into the LAN from anywhere outside the LAN via an IP address or URL like vpn.mycompany.com, receive an ip in the range of the offices and then, to all intents & purposes be part of the network.

I have other workers, who I would like to be able to connect up and only have limited services eg being able to connect up to their account on the domain server or map a certain directory on a certain computer.

I prefer installing the vpn 'server' using Linux (preferably Slackware), but most of my clients are windows machines.

I have looked briefly at openVPN, but cant find a tutorial that I can follow easily - mainly the assume you know what you are doing & understand the terminology. Also, I haven't found any that explains the physical setup needed, for instance, where do I place the server in the above diagram? What hardware do I need? What ports do I need open in the firewall? I dont envisage heavy traffic & only a few clients connected at the same time.

If anyone can help me or just point me in the right direction, I would be most grateful.

SysMan
 
Old 02-01-2012, 08:25 AM   #2
eehmke
LQ Newbie
 
Registered: Aug 2011
Distribution: Debian, Gentoo
Posts: 24

Rep: Reputation: 0
Did you read this?
http://openvpn.net/index.php/open-so...ion/howto.html
Your vpn server should be reachable from all clients on UDP port 1194 (or anther port that you configure). This port must be opened in your firewall. If this can be done, it should be working. I have a server running with a public reachable port 1194. All clients (behind DSL connections with NAT) can connect to the VPN in a 10.8.0.0/16 net.
 
Old 02-01-2012, 09:55 AM   #3
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,578
Blog Entries: 31

Rep: Reputation: 1208Reputation: 1208Reputation: 1208Reputation: 1208Reputation: 1208Reputation: 1208Reputation: 1208Reputation: 1208Reputation: 1208
Regards "sorry about the dots" you could use CODE tags. The easiest way to do that is to go into Advanced Mode and use the # button.

Presumably your Juniper firewall is also a NATting router in which case you will have to portforward UDP 1194 on it to the OpenVPN server.

AFAIK the page linked by eehmke is the best OpenVPN HOWTO. If you work through it systematically instead of trying to take it all in at once it is very good.

The scenario you describe requires bridged rather than routed mode (this is what makes client computers "to all intents & purposes be part of the network"). There's a security catch in that though. Client computers normally have a security key arrangement that works with the server to allow passwordless connection. That means that anybody in possession of a client computer can make a connection to your LAN. If the client computer is a portable device which could be stolen ... Adding passwords is possible but not trivial.

Regards the "other workers", if you use bridged mode then they are "to all intents & purposes be part of the network". You could set up two instances of OpenVPN, using different UDP ports, one routed and one bridged but the routed service users could only access the OpenVPN server itself.

The OpenVPN server should be on the Offices LAN.

OpenVPN hardware requirements are trivial.

EDIT: if this information makes you harden the systems on your LAN then that may be no bad thing!

Last edited by catkin; 02-01-2012 at 09:57 AM.
 
Old 02-01-2012, 10:55 AM   #4
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,834
Blog Entries: 4

Rep: Reputation: 3984Reputation: 3984Reputation: 3984Reputation: 3984Reputation: 3984Reputation: 3984Reputation: 3984Reputation: 3984Reputation: 3984Reputation: 3984Reputation: 3984
Ummm, there's no denying it: VPN configuration and especially debugging is quite difficult, if only "due to the essential nature of the beast."

You quite frankly may need to open your search beyond simply this web site in order to find truly qualified recommends about a network topology of this complex a nature. Because, what you want is not simply "a passage from the outside to the inside," but a limited passage to a portion of what is "inside," with the various components of the internal system also using VPN technology. And, you want the whole thing to be manageable, which probably means that some connection to internal security/infrastructure controls (e.g. LDAP, Kerberos) will be required.
 
Old 02-04-2012, 06:31 AM   #5
Larry James
Member
 
Registered: Jun 2000
Location: Buffalo, New York
Distribution: Ubuntu, Raspbian
Posts: 381

Rep: Reputation: 40
Quote:
Originally Posted by sysman View Post
I am looking for a free/cheep vpn server for the LAN in our community.

Our setup is a bit more complex than most, I would say. All traffic to the outside wall passes through our firewall (made by Juniper), so we have one leg facing outwards. We have another leg for our web servers (dmz) and several internal legs for different parts of our network eg one for homes, one for offices and one for a factory. I am interested in forming a vpn with the offices section.

WWW <---> FIREWALL |<---> DMZ [ fixed ip]
...................|<---> Homes [ dhcp ]
...................|<---> Offices [ fixed ip ]
...................|<---> Factories [ fixed ip ]

(sorry about the dots, but I couldnt format it any other way)
I also have at my command an array of external IP addresses and can use one of these to connect directly through the fire wall (with/without a password) to any machine on the LAN.

As the administrator, I envisage being able to log into the LAN from anywhere outside the LAN via an IP address or URL like vpn.mycompany.com, receive an ip in the range of the offices and then, to all intents & purposes be part of the network.

I have other workers, who I would like to be able to connect up and only have limited services eg being able to connect up to their account on the domain server or map a certain directory on a certain computer.

I prefer installing the vpn 'server' using Linux (preferably Slackware), but most of my clients are windows machines.

I have looked briefly at openVPN, but cant find a tutorial that I can follow easily - mainly the assume you know what you are doing & understand the terminology. Also, I haven't found any that explains the physical setup needed, for instance, where do I place the server in the above diagram? What hardware do I need? What ports do I need open in the firewall? I dont envisage heavy traffic & only a few clients connected at the same time.

If anyone can help me or just point me in the right direction, I would be most grateful.

SysMan
Hi, SysMan. I know you mentioned OpenVPN in your title. However, your message asks for an easy VPN solution and suggest you're having problems. The responses also appear to suggest complexity. You might consider PPTP VPN of which I wrote a script that will get it up and running in seconds.

Take a look at: http://faq.apollo3.com/ljames/ubuntu/vpn/ for a quick and easy resolution.

So it has worked in every tested environment without problems.

-- L. James

--
L. D. James
ljames@apollo3.com
www.apollo3.com/~ljames
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
openVPN not routing inside LAN deibertine Linux - Server 5 10-05-2009 03:19 AM
configure OpenVPN for two hosts in same LAN Buddhike G Linux - Networking 2 02-05-2008 11:44 PM
OpenVPN - LAN Without Internet tsj5j Linux - Networking 3 01-29-2007 06:11 AM
OpenVPN client cannot route to LAN TheAmazingSteve Linux - Networking 1 09-29-2005 03:40 PM
How to gain access internal LAN Using OpenVPN? ltam68 Linux - Networking 2 06-23-2005 08:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration