(Tutorials) tunnel vision

November 18, 2010

Two ways of tunneling described: openvpn and ssh

Tunneling is handy and fun. Here I’ll describe two ways of tunneling something…
One with openvpn which is very handy if you use a laptop to access services from diferent places (internet connections) like your are a so called “road warrior”.
The second “tunnel” is a little ssh trick to access an internal server without having to configure a modem and/or a firewall.

Tunnel 1: use openvpn to use your laptop everywhere

In this example I’ll create a Virtual Private Network (VPN) using openvn (http://openvpn.net/).
You need an openvpn server which is my colo-server at my provider and an openvpn client which is my laptop.
The server runs ubuntu server 10.04 and the client ubuntu desktop 10.04.
The idea is to create a point to point connection with private IP’s on both sides.
First the server install and config:
I used pretty much the install from: https://help.ubuntu.com/12.04/serverguide/openvpn.html so I won’t
repeat those steps here.

This is my /etc/openvpn/server.conf:

dev tun0

# Certs and stuff
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

proto udp

# Detection of lost links and keeping NATted connections alive.
keepalive 10 60

verb 3
# The subnet to use for dynamically assigned clients.
# The server will automatically take for itself.
# I do not use this but the server needs an IP-address.
max-clients 10
port 1194
proto udp
ifconfig-pool-persist ipp.txt

push "dhcp-option DNS"
# /etc/openvpn/clients has the config for the clients where i.e. you can add
# routes for using the VPN.
client-config-dir clients
# allow the private net to access the VPN
# in my setup the laptop has and creates a Point to point connection with a virtual

tls-auth ta.key 0 # This file is secret
status openvpn-status.log
log openvpn.log

You should now be able to start the openvpn daemon (/etc/init.d/openvpn start).

For my laptop I created the file /etc/openvpn/clients/laptop on the server with:

# laptop
# colo net
push "route"

The first line creates the virtual private tunnel between (laptop) and (server).
BTW: you do not see the IP-address on the server side.
The route is pushed over the VPN. The rest of my traffic on the client does not use the VPN.

Now it’s time to copy the four certificates (see above url) to the client and fill in the proper fields in your Network Manager on your client.

You should now be able to start the openvpn client and the clients ipconfig should have:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:  P-t-P:  Mask:

This all is pretty well documented. The hard part was getting it working with my iptables firewall.
I use shorewall and I wanted my vpn-traffic to be NATted (of course, it’s private space…) by my
external interface (eth0).
To do this I created /etc/shorewall/masq with:


Define your vpn zone in /etc/shorewall/zones:

vpn	ipv4

Define your tun0 interface in /etc/shorewall/interfaces:

vpn     tun0

Define extra policies /etc/shorewall/policy

# allow traffice from vpn -> net (VERY important!!)
vpn		net		ACCEPT
# allow connections from vpn to fw and back
vpn		$FW		ACCEPT
$FW		vpn		ACCEPT

open the tunnel for my gateway in /etc/shorewall/tunnels

openvpn        vpn

Finally create rules for udp and tcp for port 1194 (openvpn) coming from the net:

ACCEPT         net                         $FW         tcp         1194
ACCEPT         net                         $FW         udp         1194

the generated iptables for NATting should look like:

# iptables -L -n -t nat
target     prot opt source               destination         
eth0_masq  all  --    
Chain eth0_masq (1 references)
target     prot opt source               destination         
SNAT       all  --           to: 

So you should now have a working openvpn setup!
Wherever which connection is made with my client (from any wifi or other internet connection) to (see the “push route” earlier) my source IP-address will always be This for example can be very handy to access your IMAP daemon with your IMAP-client like thunderbird. Also, if you run a mailserver you can relay mail for for sending mail. You can push more routes or even route all your traffic over the VPN (using the option push "redirect-gateway def1 bypass-dhcp"). So, much more scenario’s are possible because you always, at any location, have a fixed IP-address over a private and secure connection, that’s the whole idea and fun of it!

Tunnel 2: use ssh to access your internal network without opening port 22 on your modem and/or firewall

Suppose you have an internal (linux) client. You can open an ssh connection with an external
server a follows:
internal~$ ssh -R8822:localhost:22 user@external
(Tip: run this command in a screen session so you can detach and logout, keeping the command running)

You can now use this connection to connect from the external server to your internal client (becasue the existing connection is used you do not need to open your modem (or any other device and/or firewall which controls your incoming data) for port 22 (ssh).
So at the external host you do:
exrternal~$ ssh -p 8822 localhost
internal~$ Voila! 🙂


"It's hard to make a comeback when you haven't been anywhere."

Powered by Wordpress. Theme by Shlomi Noach, openark.org
© 2017 KwaLinux Trainingen | Algemene voorwaarden | KvK: 10147727 | Disclaimer