| View previous topic :: View next topic |
| Author |
Message |
ajaygautam
Apprentice
Joined: 23 Jan 2003
Posts: 205
Location: London Below
|
 Posted: Fri Nov 04, 2005 5:55 pm Post subject: HOWTO: VPN chaining / forwarding / tunneling. |
 |
|
I ran into an issue recently, that had me scrambling for information / solution. Finally solved it, and here is what I did, in case someone else wants to do something similar. This email is more of a "case study" than a real howto... but still, I hope this benefits someone...
Issue:
Unable to connect to my work VPN through a network that blocks certain ports.
Facts (machine and network names are examples and just used for clarity):
- VPN at work: MS Windows VPN Server (MS-VPN-Server)
- Connectivity from home (machine GENTOO on network HOME): works from Linux using PPTP with kernel patch: https://forums.gentoo.org/viewtopic-t-298267-highlight-pptpconfig.html
- Connectivity from machine LAPTOP on network SECURE: not available, as network SECURE blocks required ports for direct connection to MS-VPN-Server
- Connectivity exists from LAPTOP to GENTOO. i.e. LAPTOP is able to ssh / http / etc.. to GENTOO. In my case, LAPTOP is also a linux box.
Assumptions / Requirements:
- "tun" driver is enabled in kernel for both LAPTOP and GENTOO. Can be found at (for 2.6): Device Drives -> Network device support -> Universal TUN/TAP device driver support
- iptables is installed on GENTOO and kernel is configured to support IP forwarding. There are tons of docs on how to do this.
- OpenVPN port (1194) is open on HOME network.
- Assumed you have working knowledge of pptp, and general networking
Solution:
The idea is to route VPN traffic that originates from LAPTOP through GENTOO/HOME to MS-VPN-Server. To implement this idea, I installed openvpn on GENTOO and LAPTOP, and used that openvpn pipeline to route all VPN traffic from LAPTOP to MS-VPN-Server.
Implementation:
Step 1: Install required Software. Both LAPTOP and GENTOO and gentoo boxes.
For GENTOO:
For LAPTOP (Follow pptp link above)
| Code: | emerge openvpn
emerge pptpconfig |
Step 2: Setup
The setup I used is based on a simple openvpn implementation so that one one client and server and talk to each other. More information on this is available at http://openvpn.net/static.html
For GENTOO:
| Code: |
# the name vpnchain is a randomly selected name. means nothing.
mkdir /etc/openvpn/vpnchain
cd /etc/openvpn/vpnchain
openvpn --genkey --secret static.key
# create local.conf with the following data
cat > local.conf
dev tun
comp-lzo
ifconfig 10.8.0.1 10.8.0.2
secret static.key
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody
daemon
# create an ipforwarding file
cat > ipforwarding-tun0-eth0.sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
EXTIF="eth0"
INTIF="tun0"
$MODPROBE ip_tables
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
chmod +x ipforwarding-tun0-eth0.sh
# start vpn connection on GENTOO
modprobe tun
/etc/init.d/openvpn start
/etc/openvpn/vpnchain/ipforwarding-tun0-eth0.sh
|
Setup LAPTOP
| Code: |
# the name vpnchain is a randomly selected name. means nothing.
mkdir /etc/openvpn/vpnchain
cd /etc/openvpn/vpnchain
scp GENTOO:/etc/openvpn/vpnchain/static.key /etc/openvpn/vpnchain
# create local.conf with the following data
cat > local.conf
remote GENTOO
dev tun
comp-lzo
ifconfig 10.8.0.2 10.8.0.1
#assuming your MS-VPN-Server ip is 64.233.161.99
#this will route MS-VPN-Server through openvpn link
route 64.233.161.0 255.255.255.0
secret static.key
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
# start vpn connection on LAPTOP
modprobe tun
/etc/init.d/openvpn start
|
Now setup PPTP to connect to MS-VPN-Server as you normally would if you were connecting from HOME network. When you connect to VPN, the initial connection would go through tun0. The only difference in configuration I did was to select "Client to LAN" in routing, as opposed to "All to tunnel" in the Routing tab. For "Client to LAN" I specified the "Routes to be added via tunnel" as "10.0.0.0/8", for machine behind the WORK network.
Start PPTP and ping a machine in your WORK network.
You should see all this routing information through:
Good luck.
Ajay |
|
| Back to top |
|
 |
ajaygautam
Apprentice
Joined: 23 Jan 2003
Posts: 205
Location: London Below
|
| Posted: Fri Nov 04, 2005 5:57 pm Post subject: |
|
|
tcpdump was a useful utility to determine what data is being exchanged between LAPTOP and GENTOO.
On GENTOO:
Ajay |
|
| Back to top |
|
|
ajaygautam
Apprentice
Joined: 23 Jan 2003
Posts: 205
Location: London Below
|
| Posted: Fri Nov 04, 2005 5:59 pm Post subject: |
|
|
Also added a few things to /etc/init.d/openvpn to start everything on startup
| Code: | vi /etc/init.d/openvpn
--- add methods
starttundevice() {
modprobe tun
}
setupRouting() {
/etc/openvpn/default/ipforwarding-tun0-wlan0.sh
}
--- call these methods from start() |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
