Today I spent large part of the day to configure a vpn to access our servers. Instead of leaving port 22 wide open, I prefer to use a vpn to access the internal network and to do ordinary administration tasks. This way I’ll also be able to use graphical tools that I don’t feel like to use over the internet.
The openvpn howto (http://openvpn.net/howto.html ) already has all the details I needed. The only complication was to use as server a public ip that is part of the restricted subnet I wanted to access. Moreover since I wanted to have a private subnet for my vpn, I also configured natting between the vpn network and my lan
This is my server conf file:
port 1194
local xxx.xxx.xxx.xxx
dev tun
tls-server
server 192.168.100.0 255.255.255.0
dh keys/dh1024.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
#duplicate-cn
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
keepalive 10 120
#route to be established on the server
route-up "iptables -F; iptables -t nat -F; iptables -t mangle -F"
route-up "iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE"
down "iptables -F; iptables -t nat -F; iptables -t mangle -F"
#route to push to clients
#we cannot push directly this route as the vpn server is on the same subnet.
#push "route xxx.xxx.xxx.0 255.255.255.0"
push "dhcp-option DOMAIN localnet.xen"
push "dhcp-option DNS xxx.xxx.xxx.1"
comp-lzo
persist-tun
persist-key
and this is on the client side :
port 1194
dev tun
remote xxx.xxx.xxx.xxx
tls-client
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 4
up ./up.sh
down ./down.sh
persist-tun
persist-key
The up and down scripts are used to set default routes to the lan I want to access.
#!/bin/sh
set -x
#./up.sh tun0 1500 1574 192.168.100.6 192.168.100.5 init
route add -net xxx.xxx.xxx.0 netmask 255.255.255.240 gw $5
route add -host vpn-server-ip eth1
I like openvpn… :)