HowTo: Setup a Virtual Private Network (VPN)
Small companies and homes are setup to use a dedicated Linux machine to act as a gateway , their bridge to the internet outside. Having a computer do this routing allows a lot more flexability than using a dedicated hardware router - for instance teh ability to join the network to another company or allow remote workers via a VPN solution. The picture below demonstrates what a VLAN might typically look like:
Application options for VPN:
- PPTD
- tinc
- openvpn
I’ve decided to use openvpn for this demonstration even though pptpd is historically prefered, tinc is very good, but they are not available for my OS Debian.
OpenVPN is also relatively new and is considered stable, secure and simple. So - I’m making all of our lives a bit easier here.
Common Operations for VPN
- static connection between offices
- static connection between companies
- setting up servers that can be connected to remotely
- improving security in a datacentre.
This setup will allow every machine on the internal network of the company to talk to every machine on the second companies internal network. The requirements are only that the two gateway machines run Linux, and you have root access on them both.
These Companies will be:
Name Curious3.co.uk Azio.org
-----------------------------------------------
Internal Lan 192.168.0.0/24 10.0.0.0/24
External IP gw.curious3.co.uk gw.azio.org
Here we can see the gateways both have DNS entries for their external IP address (although IP’s work just as well), and that the internal networks are different. You can have overlapping ranges if you like too, but then NAT is involved).
Both mine and curious3’s gateway is running stable and we will discover shortly that openvpn is now available on sarge. woot!
apt-get install openvpn
After you have the package installed, you may be prompted if you wish to create a TUN/TAP device. This is the device that all the traffic will be routed accross, you need to say Yes.
Repeat the process on the other gateway box and you’re ready to configure the two halves to talk to each other and play friends.
First Things first Install tun module:
modprobe tun
echo 'tun' >> /etc/modules
Excellent. Now make sure we have a pair of addreses for the private tunnel devices, these should be private addresses specifically allocated for the VPN ONLY.
Name Curious3.co.uk Azio.org
-----------------------------------------------
Internal Lan 192.168.0.0/24 10.0.0.0/24
External IP gw.curious3.co.uk gw.azio.org
Tunnel Devices 10.99.99.1 10.99.99.2
Funnily enough thats all the configuration you need to do.
- My friend at curious 3 will need to run
- openvpn –remote gw.azio.org –dev tun1 –ifconfig 10.99.99.1 10.99.99.2 –verb 9
- I’ll need to run on my box
- openvpn –remote gw.curious3.co.uk –dev tun1 –ifconfig 10.99.99.2 10.99.99.1 –verb 9
- All Done.
This will give show diagnostic information and then hopefully setup a tunnel with a private address, 10.99.99.1 on gw.curious3.co.uk and 10.99.99.2 on gw.azio.org. Uber mental.
Try running:
ifconfig -a
You should see the new address on each machine
What About Routing!? Let’s Set that Up then!
Each gateway machine only knows about its Internal LAN IP’s (192.168.0.0/24 and 10.0.0.0/0 in this example), we still need to tell the gateways how to get to the internal machines on eachothers company infrastructure.
Curious3 Gateway:
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.99.99.1
Azio.org Gateway
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.99.99.2
Now each gateway will be able to ping the others internal network. We assume that IP forwarding is already enabled as the gateway machines are already running as gateway, but if not you will need to run this too.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i tun+ -j ACCEPT
If all has worked out a script should exist in /etc/init.d that contains the openvpn command and the route command, then all you need to do is make sure it runs at boot time , thats up to you im afraid in this tutorial, but its really quite simple, you could just temporarily create a script that runs the openvpn start command above on each machine thats executable by ./start.sh
SO SIMPLE. SO GO DO IT! Good Luck!
Gaming Devices And Other Computer said,
February 22, 2008 @ 1:27 am
Computer Games: The maximum entertainment one can endure…
The world of entertainment is saturated with so many endless mind blowing items that is suitable for different circumstances that anyone can entertain themselves to their fill in their personal hour….