LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-08-2019, 09:32 PM   #1
X1C
LQ Newbie
 
Registered: Oct 2019
Posts: 3

Rep: Reputation: Disabled
How to design/setup a VPN gateway?


I have some servers (mostly Centos and Ubuntu, but also a few Windows 2008) that are in a local LAN (non-routable IP). The WAN side of the router is connected to a segment that has global IP.

In the same "global" segment, I want to connect an OpenVPN server.
The users will connect to this VPN gateway, and enter userID and password.

Upon successful authentication from the VPN gateway, the users can then ssh into the servers in the local LAN, which is otherwise inaccessible from outside.

For the software side of a VPN server, I think I can install OpenVPN in a server, but it is the "network" side that I have no clue.

For example, how does the VPN server "tell" the local servers that a particular user has been authenticated, and thus can connect to the local server?

Where do I set up those rules?
In the router?
Or in the VPN gateway server itself?

Also, will any router (that can do NAT) do? Or do I need a "VPN capable router"?


Will the following design work?


Code:
                          -----------------
                  |-------| OpenVPN server |
                  |       -----------------
(internet)        |
------------------|(global IP)
                  |
                  |       |----------------
                  |-------| (NAT) Router   |
                          |----------------
                            |     |     |
                            |     |     |   Local LAN (172.16.0.XXX)
                            |     |     |
                           (A)   (B)   (C)

A, B, C, etc. are servers that will be accessible only if a user has been authenticated by the VPN gateway server.

Any hint (and/or URL) would be appreciated.

Thank you.
 
Old 10-09-2019, 02:23 PM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,974

Rep: Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831
Quote:
Originally Posted by X1C View Post
I have some servers (mostly Centos and Ubuntu, but also a few Windows 2008) that are in a local LAN (non-routable IP). The WAN side of the router is connected to a segment that has global IP.

In the same "global" segment, I want to connect an OpenVPN server. The users will connect to this VPN gateway, and enter userID and password. Upon successful authentication from the VPN gateway, the users can then ssh into the servers in the local LAN, which is otherwise inaccessible from outside.

For the software side of a VPN server, I think I can install OpenVPN in a server, but it is the "network" side that I have no clue.
You are (mostly) correct. They won't connect to VPN with a user ID and password, but rather with a set of cryptgraphic keys that you generate on the VPN server, and give to each user. They should be user specific, so you can tell who's logging in
Quote:
For example, how does the VPN server "tell" the local servers that a particular user has been authenticated, and thus can connect to the local server? Where do I set up those rules? In the router? Or in the VPN gateway server itself? Also, will any router (that can do NAT) do? Or do I need a "VPN capable router"?
You set up routing rules and other such things on the VPN server. And pretty much ANY router can do this, you will have to (as you say) NAT that connection from the outside address/port to the internal VPN server. How difficult or easy that is depends on your router and network topology. Big networks with DMZ's, multiple firewalls, etc., can be daunting...but that's why you have network teams to do such things.
Quote:
Will the following design work?
Code:
                          -----------------
                  |-------| OpenVPN server |
                  |       -----------------
(internet)        |
------------------|(global IP)
                  |
                  |       |----------------
                  |-------| (NAT) Router   |
                          |----------------
                            |     |     |
                            |     |     |   Local LAN (172.16.0.XXX)
                            |     |     |
                           (A)   (B)   (C)

A, B, C, etc. are servers that will be accessible only if a user has been authenticated by the VPN gateway server.
Any hint (and/or URL) would be appreciated.
There are a TON of how-to guides on how to set up OpenVPN. Pretty much every distro has openVPN in their software repositories, so installing it should be a matter of something like "yum install openvpn" (for CentOS). A guide for CentOS: https://www.digitalocean.com/communi...er-on-centos-7

Seems like a ton of steps, but it's very explicit, and easy to follow. Should have no problems.
 
1 members found this post helpful.
Old 10-09-2019, 02:35 PM   #3
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 10,599

Rep: Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179
Welcome to LQ, X1C. Think Clients & Servers

I'm confused by your question. To my mind, OpenVPN usually goes to the outside world, and is a way of encrypting internet traffic. You pay a VPN server a few $ monthly (some are free) and send the traffic to them; they send it on in plain text, so your origin and what you say is hidden.
 
Old 10-10-2019, 04:47 AM   #4
X1C
LQ Newbie
 
Registered: Oct 2019
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by business_kid View Post
Welcome to LQ, X1C. Think Clients & Servers

I'm confused by your question. To my mind, OpenVPN usually goes to the outside world, and is a way of encrypting internet traffic. You pay a VPN server a few $ monthly (some are free) and send the traffic to them; they send it on in plain text, so your origin and what you say is hidden.
Thanks for the comments.

You are probably thinking only the "client side". I know what you mean. People in certain countries regularly use VPN service to connect to servers/services that are blocked by their country for various reasons.

In this post, I only talked about server side.
As of now, I don't know how will I implement the client side.

In the past, I have used a VPN client software (by Cisco, called "anyConnect") to connect to a publicly accessible gateway, get authenticated (which means, a virtual tunnel is created between the remote host server and the client, the terminal I am using) and then I could ssh into an IP that is entirely "local", having non-routable IP like 172.16.0.XXX.
 
Old 10-10-2019, 09:37 AM   #5
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,974

Rep: Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831
Quote:
Originally Posted by X1C View Post
Thanks for the comments.

You are probably thinking only the "client side". I know what you mean. People in certain countries regularly use VPN service to connect to servers/services that are blocked by their country for various reasons.

In this post, I only talked about server side.
As of now, I don't know how will I implement the client side.

In the past, I have used a VPN client software (by Cisco, called "anyConnect") to connect to a publicly accessible gateway, get authenticated (which means, a virtual tunnel is created between the remote host server and the client, the terminal I am using) and then I could ssh into an IP that is entirely "local", having non-routable IP like 172.16.0.XXX.
There are a ton of openvpn clients for any os. Gnome and KDE network managers can import and use VPN keys and configs easily. The server is the hard part
 
Old 10-15-2019, 01:37 AM   #6
X1C
LQ Newbie
 
Registered: Oct 2019
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
There are a ton of openvpn clients for any os. Gnome and KDE network managers can import and use VPN keys and configs easily. The server is the hard part
TBOne:
Thank you for the comments.
I assumed that the routing rules need to be set up inside the router, so I didn't look inside the (VPN) server side...
I do not know yet how it works, but at least I learnt that I should not assume anything...

In the coming days, I will give it a try (the link you posted in the 1st reply) to set up a VPN server with OpenVPN in CentOS.
 
Old 10-15-2019, 07:01 AM   #7
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,974

Rep: Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831Reputation: 5831
Quote:
Originally Posted by X1C View Post
TBOne:
Thank you for the comments.
I assumed that the routing rules need to be set up inside the router, so I didn't look inside the (VPN) server side...
I do not know yet how it works, but at least I learnt that I should not assume anything...

In the coming days, I will give it a try (the link you posted in the 1st reply) to set up a VPN server with OpenVPN in CentOS.
On the router, it should just be a simple NAT: anything coming to your outward-facing address on UDP port <whatever-you-choose> is to be sent to the internal VPN server on whatever-port-you-choose. But as said, it *CAN* be complicated, depending on your network.

Also think about what resources/routes you want to export to the clients, because those routes need to be defined in the VPN server, so they can be 'pushed' (which is the simplest way of doing things). You shouldn't have problems, though...things are fairly well documented.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Windows7 VPN clients behind Debian Gateway can not connect to Draytek VPN neopandid Linux - Server 3 08-31-2012 11:34 PM
LXer: Mankato Web Design brings affordable and easy web design services for law firms in Minnesota. LXer Syndicated Linux News 0 11-19-2011 06:41 AM
[SOLVED] Database design using IDs as opposed as Candidate keys as Primary key (UML design) angel115 Programming 1 07-27-2011 08:58 AM
Linux for Graphic Design, web design, and publishing maelstrom209 Linux - Software 8 07-17-2011 11:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration