woensdag 19 december 2007

Setting up an OpenVPN server behind a router (nat) and ALL client traffic pass through server

Introduction

In some countries webpages get blocked because they do not suffice to the rules (moral, ethical, religious) of that country.

But sometimes other sites who shouldn't be blocked are not available.

This is possible to circumvent (all traffic will pass through your home OpenVPN server) and all traffic will be encrypted (until it arrives home).
So no possibility of local evesdropping.

This also comes in handy to transfer files safely between computers or secure any insecure UPD/TCP protocol.
You also DONT NEED ANY EXTRA HARDWARE:) isn't that cool?

This howto shows how you do it.


Network Setup


OpenVPN can work in bridged mode or in tun mode. In this setup I use tun.
If you want to know the difference read these:
http://openvpn.net/faq.html#tunnel-principal
http://openvpn.net/faq.html#bridge
http://openvpn.net/faq.html#bridge1
http://openvpn.net/faq.html#bridge2
http://openvpn.net/faq.html#bridge3
http://openvpn.net/howto.html#vpntype

As you see on the image my setup is probably almost identically to yours.

The OpenVPN server is connected to the router as like all other hosts.
NAT is applied to outgoing packets.
Incoming connections are not allowed by the standard firewall configuration.

The OpenVPN server has FreeBSD 6.2 installed and the client Debian Lenny.



What to do
  1. Configure static IP for OpenVPN server
  2. Configure OpenVPN server and client (and generate authentication keys and certificates)
  3. Open firewall and forward port on router
  4. Test the basic VPN
  5. Configure NAT on the OpenVPN server

Configure static IP for OpenVPN server (FreeBSD)

First we have to configure the range of IP addresses given to hosts.
I configered from 192.168.33.10 to 192.168.33.20.
Look in the manual of your router where you can configure this.


Edit /etc/rc.conf and add a line like this:
Code:
ifconfig_re0="inet 192.168.33.3 netmask 255.255.255.0"
defaultrouter="192.168.33.1"

Do correct the "re0" to whatever the name is for your network interface.
For example interface vr0 would be ifconfig_vr0.

To point to what DNS should be used execute the following:
Code:
echo "nameserver 192.168.33.1" > /etc/resolv.conf

This will only be applied after rebooting(or restart your network service). I hate rebooting... so lets do it manually :p
Code:
ifconfig re0 192.168.33.3 netmask 255.255.255.0
route add default gateway 192.168.33.1


Configure OpenVPN server and client


Add to the /etc/rc.conf file to start the openvpn server automatically when booting the server:
Code:
openvpn_enable="YES"
Place this config(/usr/local/etc/openvpn/server.conf) at the server
(NOTE: ONLY try root and wheel group for testing if you are expecting permissions to be the problem! Normally you can use nobody as user and group):
Code:
# This is OpenVPN server, over UDP(better performance because of less overhead) with a tun device(routing).
proto udp
dev tun
mode server

# Authentication with OpenSSL
tls-server
tls-auth keys/ta.key 0
dh keys/dh1024.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
duplicate-cn

# Configure the IP range of the VPN clients
server 192.168.100.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1" # this will make all traffic go through the VPN (web requests for example do not go directly to the internet, but the OpenVPN server sends them outside.)

user root
group wheel

ping 15
verb 5
log-append /var/log/openvpn/openvpn.log
status /var/log/openvpn/status.log


#comp-lzo # Compression to get better performance
#persist-key
#persist-tun
Create the log directory:
Code:
mkdir /var/log/openvpn
The config for the client(/etc/openvpn/client.conf) is almost the same:
Code:
proto udp
dev tun
remote 213.219.138.69 # host to connect to

tls-client
tls-auth keys/ta.key 1
ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key

pull # this will execute the "push" options shown in the server config.

port 1194
user root
group root

ping 15
verb 5
log-append /var/log/openvpn/openvpn.log
status /var/log/openvpn/status.log

#persist-key
#persist-tun
#comp-lzo
Also create the log directory:
Code:
 mkdir /var/log/openvpn
OpenVPN is delivered with a nice tool to create the necessary keys and certificates called easy-rsa.
Code:
 cd /usr/local/share/doc/openvpn/easy-rsa/
Be sure you have openssl installed.

First edit the settings in the "vars" file to your likings (I recommend you keep the standard setting, or only highten the Diffie Hellman key size to 2048)

Execute:
Code:
 . vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh

First the settings get read. Then clean-all creates the key dir, the serial file and the index.txt file.
Build-ca creates a Certificate Authority.
Build-key-server creates a key for the server. For one OpenVPN server you have to do this only once.
After this for each client you have, you execute build-key client1, buildkey client2, ...
Be sure that the Common Name is unique.
Build-dh does create Diffie Hellman parameters.

Copy the files dh1024.pem, ca.crt, server.crt and server.key to the /usr/local/etc/openvpn/keys directory on the server (create it).
Copy ca.crt, client1.crt and client1.key to the /etc/openvpn/keys directory on the client side.


Open firewall and forward port on router

I have a Linux based router (US Robotics). I configured the firewall using SSH login.(you can enable this in the graphical interface)

First allow packets that are arriving from the internet on the router to be forwarded to your OpenVPN server.
Code:
 iptables -I FORWARD 1 -d 192.168.33.3 -p tcp --dport 1194 -j ACCEPT
Forward the packets that have as destination port 1194 to your OpenVPN server:
Code:
 iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to 192.168.33.3:1194
Enable packet forwarding in the kernel:
Code:
 echo 1 > /proc/sys/net/ipv4/ip_forward

Test the basic VPN


After all this configuration, let's check if it works.

Start openvpn on the server:
Code:
 cd /usr/local/etc/openvpn
openvpn/openvpn server.conf
Start openvpn on the client:
Code:
 cd /etc/openvpn/
openvpn client.conf

Normally you should see scrolling text on the logs of both, with at the end ... "Completed".
(It may be easier to remove the lines about logging in the configuration file: log-append, status. Then the output will be printed in the terminal)
This is my log-file after starting the server:
Code:

Thu Dec 20 07:59:01 2007 us=619831 Current Parameter Settings:
Thu Dec 20 07:59:01 2007 us=621081 config = 'server.conf'
Thu Dec 20 07:59:01 2007 us=621192 mode = 1
Thu Dec 20 07:59:01 2007 us=621255 show_ciphers = DISABLED
Thu Dec 20 07:59:01 2007 us=621314 show_digests = DISABLED
Thu Dec 20 07:59:01 2007 us=621373 show_engines = DISABLED
Thu Dec 20 07:59:01 2007 us=621431 genkey = DISABLED
Thu Dec 20 07:59:01 2007 us=621488 key_pass_file = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=621547 show_tls_ciphers = DISABLED
Thu Dec 20 07:59:01 2007 us=621605 proto = 0
Thu Dec 20 07:59:01 2007 us=621663 local = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=621721 remote_list = NULL
Thu Dec 20 07:59:01 2007 us=621782 remote_random = DISABLED
Thu Dec 20 07:59:01 2007 us=621840 local_port = 1194
Thu Dec 20 07:59:01 2007 us=621900 remote_port = 1194
Thu Dec 20 07:59:01 2007 us=621958 remote_float = DISABLED
Thu Dec 20 07:59:01 2007 us=622017 ipchange = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=622075 bind_local = ENABLED
Thu Dec 20 07:59:01 2007 us=622134 dev = 'tun'
Thu Dec 20 07:59:01 2007 us=622204 dev_type = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=622264 dev_node = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=622322 tun_ipv6 = DISABLED
Thu Dec 20 07:59:01 2007 us=622381 ifconfig_local = '192.168.100.1'
Thu Dec 20 07:59:01 2007 us=622441 ifconfig_remote_netmask = '192.168.100.2'
Thu Dec 20 07:59:01 2007 us=622499 ifconfig_noexec = DISABLED
Thu Dec 20 07:59:01 2007 us=622558 ifconfig_nowarn = DISABLED
Thu Dec 20 07:59:01 2007 us=622616 shaper = 0
Thu Dec 20 07:59:01 2007 us=622675 tun_mtu = 1500
Thu Dec 20 07:59:01 2007 us=622732 tun_mtu_defined = ENABLED
Thu Dec 20 07:59:01 2007 us=622791 link_mtu = 1500
Thu Dec 20 07:59:01 2007 us=622849 link_mtu_defined = DISABLED
Thu Dec 20 07:59:01 2007 us=622908 tun_mtu_extra = 0
Thu Dec 20 07:59:01 2007 us=622967 tun_mtu_extra_defined = DISABLED
Thu Dec 20 07:59:01 2007 us=623026 fragment = 0
Thu Dec 20 07:59:01 2007 us=623084 mtu_discover_type = -1
Thu Dec 20 07:59:01 2007 us=623262 mtu_test = 0
Thu Dec 20 07:59:01 2007 us=623331 mlock = DISABLED
Thu Dec 20 07:59:01 2007 us=623390 keepalive_ping = 0
Thu Dec 20 07:59:01 2007 us=623449 keepalive_timeout = 0
Thu Dec 20 07:59:01 2007 us=623508 inactivity_timeout = 0
Thu Dec 20 07:59:01 2007 us=623568 ping_send_timeout = 15
Thu Dec 20 07:59:01 2007 us=623627 ping_rec_timeout = 0
Thu Dec 20 07:59:01 2007 us=623686 ping_rec_timeout_action = 0
Thu Dec 20 07:59:01 2007 us=623745 ping_timer_remote = DISABLED
Thu Dec 20 07:59:01 2007 us=623804 remap_sigusr1 = 0
Thu Dec 20 07:59:01 2007 us=623863 explicit_exit_notification = 0
Thu Dec 20 07:59:01 2007 us=623921 persist_tun = DISABLED
Thu Dec 20 07:59:01 2007 us=623980 persist_local_ip = DISABLED
Thu Dec 20 07:59:01 2007 us=624039 persist_remote_ip = DISABLED
Thu Dec 20 07:59:01 2007 us=624097 persist_key = DISABLED
Thu Dec 20 07:59:01 2007 us=624156 mssfix = 1450
Thu Dec 20 07:59:01 2007 us=624229 passtos = DISABLED
Thu Dec 20 07:59:01 2007 us=624289 resolve_retry_seconds = 1000000000
Thu Dec 20 07:59:01 2007 us=624348 connect_retry_seconds = 5
Thu Dec 20 07:59:01 2007 us=624407 username = 'root'
Thu Dec 20 07:59:01 2007 us=624466 groupname = 'wheel'
Thu Dec 20 07:59:01 2007 us=624525 chroot_dir = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=624584 cd_dir = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=624670 writepid = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=624730 up_script = './server.up'
Thu Dec 20 07:59:01 2007 us=624789 down_script = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=624848 down_pre = DISABLED
Thu Dec 20 07:59:01 2007 us=624906 up_restart = DISABLED
Thu Dec 20 07:59:01 2007 us=624965 up_delay = DISABLED
Thu Dec 20 07:59:01 2007 us=625023 daemon = DISABLED
Thu Dec 20 07:59:01 2007 us=625082 inetd = 0
Thu Dec 20 07:59:01 2007 us=625140 log = ENABLED
Thu Dec 20 07:59:01 2007 us=625211 suppress_timestamps = DISABLED
Thu Dec 20 07:59:01 2007 us=625271 nice = 0
Thu Dec 20 07:59:01 2007 us=625331 verbosity = 5
Thu Dec 20 07:59:01 2007 us=625443 mute = 0
Thu Dec 20 07:59:01 2007 us=625512 gremlin = 0
Thu Dec 20 07:59:01 2007 us=625572 status_file = '/var/log/openvpn/status.log'
Thu Dec 20 07:59:01 2007 us=625632 status_file_version = 1
Thu Dec 20 07:59:01 2007 us=625691 status_file_update_freq = 60
Thu Dec 20 07:59:01 2007 us=625751 occ = ENABLED
Thu Dec 20 07:59:01 2007 us=625812 rcvbuf = 65536
Thu Dec 20 07:59:01 2007 us=625873 sndbuf = 65536
Thu Dec 20 07:59:01 2007 us=625934 socks_proxy_server = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=625996 socks_proxy_port = 0
Thu Dec 20 07:59:01 2007 us=626056 socks_proxy_retry = DISABLED
Thu Dec 20 07:59:01 2007 us=626116 fast_io = DISABLED
Thu Dec 20 07:59:01 2007 us=626226 comp_lzo = ENABLED
Thu Dec 20 07:59:01 2007 us=626294 comp_lzo_adaptive = ENABLED
Thu Dec 20 07:59:01 2007 us=626356 route_script = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=626416 route_default_gateway = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=626476 route_noexec = DISABLED
Thu Dec 20 07:59:01 2007 us=626536 route_delay = 0
Thu Dec 20 07:59:01 2007 us=626596 route_delay_window = 30
Thu Dec 20 07:59:01 2007 us=626656 route_delay_defined = DISABLED
Thu Dec 20 07:59:01 2007 us=626721 route 192.168.100.0/255.255.255.0/nil/nil
Thu Dec 20 07:59:01 2007 us=626783 management_addr = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=626845 management_port = 0
Thu Dec 20 07:59:01 2007 us=626904 management_user_pass = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=626967 management_log_history_cache = 250
Thu Dec 20 07:59:01 2007 us=627028 management_echo_buffer_size = 100
Thu Dec 20 07:59:01 2007 us=627089 management_query_passwords = DISABLED
Thu Dec 20 07:59:01 2007 us=627150 management_hold = DISABLED
Thu Dec 20 07:59:01 2007 us=627226 shared_secret_file = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=627287 key_direction = 1
Thu Dec 20 07:59:01 2007 us=627348 ciphername_defined = ENABLED
Thu Dec 20 07:59:01 2007 us=627409 ciphername = 'BF-CBC'
Thu Dec 20 07:59:01 2007 us=627469 authname_defined = ENABLED
Thu Dec 20 07:59:01 2007 us=627580 authname = 'SHA1'
Thu Dec 20 07:59:01 2007 us=627649 keysize = 0
Thu Dec 20 07:59:01 2007 us=627710 engine = DISABLED
Thu Dec 20 07:59:01 2007 us=627769 replay = ENABLED
Thu Dec 20 07:59:01 2007 us=627830 mute_replay_warnings = DISABLED
Thu Dec 20 07:59:01 2007 us=627890 replay_window = 64
Thu Dec 20 07:59:01 2007 us=627950 replay_time = 15
Thu Dec 20 07:59:01 2007 us=628011 packet_id_file = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=628071 use_iv = ENABLED
Thu Dec 20 07:59:01 2007 us=628132 test_crypto = DISABLED
Thu Dec 20 07:59:01 2007 us=628209 tls_server = ENABLED
Thu Dec 20 07:59:01 2007 us=628271 tls_client = DISABLED
Thu Dec 20 07:59:01 2007 us=628333 key_method = 2
Thu Dec 20 07:59:01 2007 us=628394 ca_file = 'keys/ca.crt'
Thu Dec 20 07:59:01 2007 us=628456 dh_file = 'keys/dh1024.pem'
Thu Dec 20 07:59:01 2007 us=628517 cert_file = 'keys/server.crt'
Thu Dec 20 07:59:01 2007 us=628578 priv_key_file = 'keys/server.key'
Thu Dec 20 07:59:01 2007 us=628640 pkcs12_file = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=628700 cipher_list = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=628761 tls_verify = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=628822 tls_remote = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=628884 crl_file = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=628945 ns_cert_type = 0
Thu Dec 20 07:59:01 2007 us=629006 tls_timeout = 2
Thu Dec 20 07:59:01 2007 us=629068 renegotiate_bytes = 0
Thu Dec 20 07:59:01 2007 us=629130 renegotiate_packets = 0
Thu Dec 20 07:59:01 2007 us=629206 renegotiate_seconds = 3600
Thu Dec 20 07:59:01 2007 us=629269 handshake_window = 60
Thu Dec 20 07:59:01 2007 us=629331 transition_window = 3600
Thu Dec 20 07:59:01 2007 us=629391 single_session = DISABLED
Thu Dec 20 07:59:01 2007 us=629453 tls_exit = DISABLED
Thu Dec 20 07:59:01 2007 us=629514 tls_auth_file = 'keys/ta.key'
Thu Dec 20 07:59:01 2007 us=629594 server_network = 192.168.100.0
Thu Dec 20 07:59:01 2007 us=629666 server_netmask = 255.255.255.0
Thu Dec 20 07:59:01 2007 us=629796 server_bridge_ip = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=629876 server_bridge_netmask = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=629947 server_bridge_pool_start = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=630019 server_bridge_pool_end = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=630083 push_list = 'redirect-gateway def1,route 192.168.100.1'
Thu Dec 20 07:59:01 2007 us=630144 ifconfig_pool_defined = ENABLED
Thu Dec 20 07:59:01 2007 us=630233 ifconfig_pool_start = 192.168.100.4
Thu Dec 20 07:59:01 2007 us=630306 ifconfig_pool_end = 192.168.100.251
Thu Dec 20 07:59:01 2007 us=630376 ifconfig_pool_netmask = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=630439 ifconfig_pool_persist_filename = 'ipp.txt'
Thu Dec 20 07:59:01 2007 us=630502 ifconfig_pool_persist_refresh_freq = 600
Thu Dec 20 07:59:01 2007 us=630564 ifconfig_pool_linear = DISABLED
Thu Dec 20 07:59:01 2007 us=630625 n_bcast_buf = 256
Thu Dec 20 07:59:01 2007 us=630685 tcp_queue_limit = 64
Thu Dec 20 07:59:01 2007 us=630747 real_hash_size = 256
Thu Dec 20 07:59:01 2007 us=630807 virtual_hash_size = 256
Thu Dec 20 07:59:01 2007 us=630868 client_connect_script = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=630929 learn_address_script = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=630990 client_disconnect_script = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=631051 client_config_dir = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=631112 ccd_exclusive = DISABLED
Thu Dec 20 07:59:01 2007 us=631185 tmp_dir = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=631248 push_ifconfig_defined = DISABLED
Thu Dec 20 07:59:01 2007 us=631318 push_ifconfig_local = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=631387 push_ifconfig_remote_netmask = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=631449 enable_c2c = DISABLED
Thu Dec 20 07:59:01 2007 us=631508 duplicate_cn = ENABLED
Thu Dec 20 07:59:01 2007 us=631569 cf_max = 0
Thu Dec 20 07:59:01 2007 us=631628 cf_per = 0
Thu Dec 20 07:59:01 2007 us=631689 max_clients = 1024
Thu Dec 20 07:59:01 2007 us=631750 max_routes_per_client = 256
Thu Dec 20 07:59:01 2007 us=631858 client_cert_not_required = DISABLED
Thu Dec 20 07:59:01 2007 us=631925 username_as_common_name = DISABLED
Thu Dec 20 07:59:01 2007 us=631986 auth_user_pass_verify_script = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=632048 auth_user_pass_verify_script_via_file = DISABLED
Thu Dec 20 07:59:01 2007 us=632110 client = DISABLED
Thu Dec 20 07:59:01 2007 us=632183 pull = DISABLED
Thu Dec 20 07:59:01 2007 us=632247 auth_user_pass_file = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=632314 OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Oct 15 2006
Thu Dec 20 07:59:01 2007 us=632618 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Dec 20 07:59:01 2007 us=632700 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Dec 20 07:59:01 2007 us=632754 WARNING: you are using user/group/chroot without persist-key/persist-tun -- this may cause restarts to fail
Thu Dec 20 07:59:01 2007 us=632807 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Thu Dec 20 07:59:01 2007 us=632858 WARNING: --keepalive option is missing from server config
Thu Dec 20 07:59:01 2007 us=682193 Diffie-Hellman initialized with 1024 bit key
Thu Dec 20 07:59:01 2007 us=698533 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file
Thu Dec 20 07:59:01 2007 us=698745 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 20 07:59:01 2007 us=698844 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 20 07:59:01 2007 us=698937 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Dec 20 07:59:01 2007 us=699549 gw 192.168.1.1
Thu Dec 20 07:59:01 2007 us=700008 TUN/TAP device /dev/tun0 opened
Thu Dec 20 07:59:01 2007 us=700181 /sbin/ifconfig tun0 192.168.100.1 192.168.100.2 mtu 1500 netmask 255.255.255.255 up
Thu Dec 20 07:59:01 2007 us=720889 ./server.up tun0 1500 1542 192.168.100.1 192.168.100.2 init
Thu Dec 20 07:59:01 2007 us=742528 /sbin/route add -net 192.168.100.0 192.168.100.2 255.255.255.0
add net 192.168.100.0: gateway 192.168.100.2
Thu Dec 20 07:59:01 2007 us=759919 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Dec 20 07:59:01 2007 us=763642 GID set to wheel
Thu Dec 20 07:59:01 2007 us=763810 UID set to root
Thu Dec 20 07:59:01 2007 us=763942 Socket Buffers: R=[42080->65536] S=[9216->65536]
Thu Dec 20 07:59:01 2007 us=764033 UDPv4 link local (bound): [undef]:1194
Thu Dec 20 07:59:01 2007 us=764098 UDPv4 link remote: [undef]
Thu Dec 20 07:59:01 2007 us=764210 MULTI: multi_init called, r=256 v=256
Thu Dec 20 07:59:01 2007 us=764382 IFCONFIG POOL: base=192.168.100.4 size=62
Thu Dec 20 07:59:01 2007 us=764487 IFCONFIG POOL LIST
Thu Dec 20 07:59:01 2007 us=764683 Initialization Sequence Completed


And this gets added to it when I stop openvpn:
Code:

Thu Dec 20 07:59:36 2007 us=859158 event_wait : Interrupted system call (code=4)
Thu Dec 20 07:59:36 2007 us=860092 TCP/UDP: Closing socket
Thu Dec 20 07:59:36 2007 us=860316 /sbin/route delete -net 192.168.100.0 192.168.100.2 255.255.255.0
delete net 192.168.100.0: gateway 192.168.100.2
Thu Dec 20 07:59:36 2007 us=880020 Closing TUN/TAP interface
Thu Dec 20 07:59:36 2007 us=880585 SIGINT[hard,] received, process exiting



Look at the output of ifconfig if there are extra interfaces:
Code:
 ifconfig

Code:
 tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.100.1 P-t-P:192.168.100.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

This should be what you see on the server (The number in tun0 could be different).
Notice the IP address: 192.168.100.1
The 192.168.100.2 is not of any use for you.

On the client you will see almost the same.
For example 192.168.100.6 as IP (always the first one)

Now we can ping to see if transmission is possible:
From the client:
Code:
 ping 192.168.100.1

From the server:
Code:
 ping 192.168.100.6

Both should give you a reply. (If not, be sure your firewalls do not block ICMP echo requests)

Reply == You did it:D


Do mind, that on Debian, OpenVPN gets automatically restarted if you boot. So if you can't go online anymore if the OpenVPN is not available then first try to shutdown the service:
Code:
 /etc/init.d/openvpn stop
You still can't go online through your VPN. See the next step how to do this last step.



Troubleshooting the OpenVPN tunnel

If you want more detailed information about your tunnel, you can change "verb 3" to "verb 5" in the config file.


Configure NAT on the OpenVPN server

Because the router is in the 192.168.33.1/24 range and the OpenVPN client is 192.168.100.6, the OpenVPN server(192.168.33.3) is not able to receive responses because the 192.168.100.6 can't be routed in the local network(network where OpenVPN server is). This means you need NAT for this.
So every packet coming from 192.168.100.6 will look as if it comes from the OpenVPN server (192.168.33.3). After the response it received on the OpenVPN server, NAT will correct the IP address and the port number of the packet and will send it to the OpenVPN client.

Because there is also NAT on the router this seems confusing. But in the end it is very logical. I also wondered if my OpenVPN traffic would be NATed. The solution for this is to only NAT the traffic coming from 192.168.100.6.


Setting up NAT in this case is very easy:
Code:
kldload ipl


Put those NAT rules into /etc/ipnat.rules
Code:
map re0 192.168.100.0/24 -> 0/32 portmap tcp/udp 30001:40000 map re0 192.168.100.0/24 -> 0/32

re0 is your interface where the packets leave to the internal network (192.168.1.0/24) or the internet.
Correct the range (192.168.100/24)
NOTE: I only used one physical NIC to do this. The OpenVPN creates it's own virtual device: tun0. As long as the NAT rules are correct this shouldn't give you any problem.
NOTE: packets that have 192.168.100.1 (server end in the OpenVPN) will not be NATted because they are not destined for another host.

Now start ipnat:
Code:
/etc/rc.d/ipnat start ipnat -f /etc/ipnat.rules


The last thing is allowing packets to be forwarded by the host:
Code:
sysctl net.inet.ip.forwarding=1


! Important: you need the following in the OpenVPN server config:
Code:
push "redirect-gateway def1"


Try to ping google for example


Troubleshooting you can do with tcpdump:
Code:
tcpdump -tt -i re0

(you can do this on all hosts and interfaces(physical and virtual: re0 and tun0 in this example) to understand how the traffic is flowing)
or
Code:
ipnat -l

for looking at the ipnat mappings and nat rules.


Now lets automate it:
Add the following to /etc/rc.conf
Code:
gateway_enable="YES"

firewall_enable="YES"
firewall_type="open"

ipnat_enable="YES" # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat" # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat



Geen opmerkingen: