(Tutorials) tunnel vision

November 18, 2010

Two ways of tunneling described: openvpn and ssh

Tunneling is handy and fun. Here I’ll describe two ways of tunneling something…
One with openvpn which is very handy if you use a laptop to access services from diferent places (internet connections) like your are a so called “road warrior”.
The second “tunnel” is a little ssh trick to access an internal server without having to configure a modem and/or a firewall.

Tunnel 1: use openvpn to use your laptop everywhere

In this example I’ll create a Virtual Private Network (VPN) using openvn (http://openvpn.net/).
You need an openvpn server which is my colo-server at my provider and an openvpn client which is my laptop.
The server runs ubuntu server 10.04 and the client ubuntu desktop 10.04.
The idea is to create a point to point connection with private IP’s on both sides.
First the server install and config:
I used pretty much the install from: https://help.ubuntu.com/12.04/serverguide/openvpn.html so I won’t
repeat those steps here.

This is my /etc/openvpn/server.conf:

dev tun0
tls-server

# Certs and stuff
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

comp-lzo
daemon
proto udp

# Detection of lost links and keeping NATted connections alive.
persist-tun
persist-key
keepalive 10 60

verb 3
# The subnet to use for dynamically assigned clients.
# The server will automatically take 10.1.0.1 for itself.
# I do not use this but the server needs an IP-address.
server 10.1.0.0 255.255.255.0
max-clients 10
port 1194
proto udp
ifconfig-pool-persist ipp.txt

push "dhcp-option DNS 217.149.196.6"
# /etc/openvpn/clients has the config for the clients where i.e. you can add
# routes for using the VPN.
client-config-dir clients
# allow the private net 10.1.2.0/24 to access the VPN
# in my setup the laptop has 10.1.2.3 and creates a Point to point connection with a virtual 10.1.2.4.
route 10.1.2.0 255.255.255.0

tls-auth ta.key 0 # This file is secret
status openvpn-status.log
log openvpn.log

You should now be able to start the openvpn daemon (/etc/init.d/openvpn start).

For my laptop I created the file /etc/openvpn/clients/laptop on the server with:

# laptop
ifconfig-push 10.1.2.3 10.1.2.4
# colo net
push "route 217.149.194.128 255.255.255.224"

The first line creates the virtual private tunnel between 10.1.2.3 (laptop) and 10.1.2.4 (server).
BTW: you do not see the IP-address 10.1.2.4 on the server side.
The route 217.149.194.128/27 is pushed over the VPN. The rest of my traffic on the client does not use the VPN.

Now it’s time to copy the four certificates (see above url) to the client and fill in the proper fields in your Network Manager on your client.

You should now be able to start the openvpn client and the clients ipconfig should have:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.1.2.3  P-t-P:10.1.2.4  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          ....
          ....

This all is pretty well documented. The hard part was getting it working with my iptables firewall.
I use shorewall and I wanted my vpn-traffic to be NATted (of course, it’s private space…) by my
external interface (eth0).
To do this I created /etc/shorewall/masq with:

eth0 10.1.0.0/23 217.149.194.145

Define your vpn zone in /etc/shorewall/zones:

vpn	ipv4

Define your tun0 interface in /etc/shorewall/interfaces:

vpn     tun0

Define extra policies /etc/shorewall/policy

# allow traffice from vpn -> net (VERY important!!)
vpn		net		ACCEPT
# allow connections from vpn to fw and back
vpn		$FW		ACCEPT
$FW		vpn		ACCEPT

open the tunnel for my gateway in /etc/shorewall/tunnels

openvpn        vpn     217.149.194.129

Finally create rules for udp and tcp for port 1194 (openvpn) coming from the net:

ACCEPT         net                         $FW         tcp         1194
ACCEPT         net                         $FW         udp         1194

the generated iptables for NATting should look like:

# iptables -L -n -t nat
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
eth0_masq  all  --  0.0.0.0/0            0.0.0.0/0  
Chain eth0_masq (1 references)
target     prot opt source               destination         
SNAT       all  --  10.1.0.0/23          0.0.0.0/0           to:217.149.194.145

So you should now have a working openvpn setup!
Wherever which connection is made with my client (from any wifi or other internet connection) to 217.149.194.128/27 (see the “push route” earlier) my source IP-address will always be 10.1.2.3. This for example can be very handy to access your IMAP daemon with your IMAP-client like thunderbird. Also, if you run a mailserver you can relay mail for 10.1.2.3 for sending mail. You can push more routes or even route all your traffic over the VPN (using the option push "redirect-gateway def1 bypass-dhcp"). So, much more scenario’s are possible because you always, at any location, have a fixed IP-address over a private and secure connection, that’s the whole idea and fun of it!

Tunnel 2: use ssh to access your internal network without opening port 22 on your modem and/or firewall

Suppose you have an internal (linux) client. You can open an ssh connection with an external
server a follows:
internal~$ ssh -R8822:localhost:22 user@external
(Tip: run this command in a screen session so you can detach and logout, keeping the command running)

You can now use this connection to connect from the external server to your internal client (becasue the existing connection is used you do not need to open your modem (or any other device and/or firewall which controls your incoming data) for port 22 (ssh).
So at the external host you do:
exrternal~$ ssh -p 8822 localhost
Password:
internal~$ Voila! 🙂

tags:

 
"The early bird still has to eat worms."

Powered by Wordpress. Theme by Shlomi Noach, openark.org
© 1997 - 2024 KwaLinux Trainingen | Algemene voorwaarden | KvK: 10147727 | BTW-id: NL001873211B65 | Disclaimer