Learn Linux Series (#12) - Routing and LAN management using OpenVPN
What Will I Learn?
- What is OpenVPN
- Providing OpenVPN access to the local LAN network
- Access from local network to OpenVPN clients
- Correct routing setting
- OpenVPN addressing
- How to configure OpenVPN to make everything go well
Requirements
- Linux system installed
- Basic knowledge of terminal operation
- Average knowledge of linux commands
- Motivation when something goes wrong
Difficulty
- Intermediate
- What is OpenVPN
OpenVPN is a software package that implements techniques for creating secure point-to-point (VPN) connections or page-pages in routed or bridged networks. It enables creation of encrypted connections between hosts over the public Internet network (tunnel) - it uses the OpenSSL library and SSLv3 / TLSv1 protocols for this purpose. Unlike other solutions, VPN is not based on IPsec as a medium.
I will show you how to enable access from OpenVPN to LAN and LAN to OpenVPN. OpenVPN after configuration and startup without setting up on forward / routing server will allow only OpenVPN
[OpenVPN client - host]
and
[host - OpenVPN Client]
and
[OpenVPN client - OpenVPN client]
(if client-to-client is set on the OpenVPN server).
However, there is often a need that after connecting to the OpenVPN server, we want to have access to the remote local network (more often) and less frequently from the remote local network to the OpenVPN client. It must be remembered that our local network will have a different address (most often it is) than this OpenVPN and it may be that the local network has, for example, the subnet 192.168.0.0/24, and the OpenVPN subnet 10.5.0.0/24. Below is a description of what and how to do it.
- Providing OpenVPN access to the local LAN network
In order for OpenVPN to have access to our local network and to have access from our local network to OpenVPN clients, it is necessary to set forward and routing on the OpenVPN server. First, edit the file /etc/sysctl.conf and delete the comment next to the line net.ipv4.ip_forward = 1
nano /etc/sysctl.conf
before editing it looks like this:
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
after editing:
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
about this procedure, the system will always set this option after restart. Additionally, to set this option "on the fly", i.e. without restarting anything, enter:
sysctl -w net.ipv4.ip_forward=1
Then set iptables:
iptables -t nat -A POSTROUTING -s 10.5.0.0/24 -o eth0 -j MASQUERADE
Where 10.5.0.0 is our subnet, and eth0 is the network card to which the LAN cable is connected (it can be a different card, eg eth1, so enter the appropriate interface here. To check the interface you can use the ifconfig command, which will display the network cards).
We can add this rule at the very end of the /etc/network/interfaces file so that it will always be added as soon as the network adapters are run:
nano /etc/network/interfaces
then we add at the end of the file:
post-up iptables -t nat -A POSTROUTING -s 10.5.0.0/24 -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 10.5.0.0/24 -o eth0 -j MASQUERADE
At this point, these rules will always be entered into iptables when the network adapter is started.
Now, edit the OpenVPN server.conf file and add the push route command there, which will allow OpenVPN clients the appropriate routing, ie:
nano /etc/openvpn/server.conf
then we add a command at the end of the configuration file (or if you use my config in the section described with the # routing comment so that it is in order):
push "route 192.168.0.0 255.255.255.0"
Where 192.168.0.0 is the addressing of our local network (everyone has to check and enter their address, because it may be different)
We save changes and restart the OpenVPN server:
/etc/init.d/openvpn restart
That's all. Now, OpenVPN clients must re-connect to the server (if they are connected) and after reconnecting they will have access to the local network. So if the client issues a ping command to the address of any device in the remote local network, this should correspond to, for example:
Response from 192.168.0.1: bytes=32 time=25ms TTL=63
Response from 192.168.0.1: bytes=32 time=43ms TTL=63
Response from 192.168.0.1: bytes=32 time=53ms TTL=63
- Access from local network to OpenVPN clients
The other way is a bit harder, because you need (preferably on a router in the local network) to add entries to the static routing, and here the routers, etc. is a whole lot and I can not describe everything here. That's why I will limit myself to a few tips at the end.
At the beginning, by default, on the server, we set (if we have not set it before) forward ie how I described above and set IPTABLES. Only this time, as the source we give the addressing of our local network, and the output interface is the OpenVPN interface, i.e. tun0:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE
Addressing 192.168.0.0 is the addressing of the local network. If your local network 192.168.1.0, then you should type in instead of 192.168.0.0.
We can add this at the end of the /etc/network/interfaces file so that it will always be entered when the network card is started:
nano /etc/network/interfaces
Then add at the end of the file:
post-up iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE
Routing is best set up on the router so as not to configure it separately on each computer in the local network. So, unfortunately, I have to leave it to users, because in different brands of routers it sets up differently. I will suggest, however, that you must set routing / static routing with destination IP 10.5.0.0 (the address of the OpenVPN subnet), the mask 255.255.255.0 where gateway is the local IP address of the machine with the OpenVPN server, i.e. a machine with Linux Debian on which the OpenVPN server is running has an address 192.168.0.10 this is the gateway address 192.168.0.10).
If, however, we do not want to add routing on the router or we want to check if everything works before adding the routing on the router, we can do it only locally on the machine where, for example, we work at a given moment.
Linux users can use the following command and add the appropriate routing on their computer:
route add -net 10.5.0.0/24 gw 192.168.0.10
0.5.0.0/24 is the OpenVPN addressing, and 192.168.0.10 is the address of the server / machine on which the OpenVPN server is running. At this moment, clients connected to the OpenVPN server will be able to be pinged and be able to connect to them (eg remote desktop or whatever).
To delete an entry, issue the command:
route delete -net 10.5.0.0/24 gw 192.168.0.10
to check the Routing list, we must issue a command in the terminal:
route
Curriculum
- Part 1 - TCP/IP Computer Adaptation
- Part 2 - Proftpd management and configuration
- Part 3 - Introduction to programming
- Part 4 - e-mail server (Postfix)
- Part 5 - e-mail server (Exim)
- Part 6 - Attack Detection System Snort
- Part 7 - Defense against port scans PortSentry
- Part 8 - Intrusion detection system TripWire
- Part 9 - e-mail server (Dovecot)
- Part 10 - Multilingual IMAP client Roundcube
- Part 11 - Mechanism for disk space management LVM
Posted on Utopian.io - Rewarding Open Source Contributors
Rejected. Plagiarized content.
You can contact us on Discord.
[utopian-moderator]
Congratulations @vitusc! You received a personal award!
Click here to view your Board