Two ways of tunneling described: openvpn and ssh
Tunneling is handy and fun. Here I’ll describe two ways of tunneling something…
One with openvpn which is very handy if you use a laptop to access services from diferent places (internet connections) like your are a so called “road warrior”.
The second “tunnel” is a little ssh trick to access an internal server without having to configure a modem and/or a firewall.
Tunnel 1: use openvpn to use your laptop everywhere
In this example I’ll create a Virtual Private Network (VPN) using openvn (http://openvpn.net/).
You need an openvpn server which is my colo-server at my provider and an openvpn client which is my laptop.
The server runs ubuntu server 10.04 and the client ubuntu desktop 10.04.
The idea is to create a point to point connection with private IP’s on both sides.
First the server install and config:
I used pretty much the install from: https://help.ubuntu.com/12.04/serverguide/openvpn.html so I won’t
repeat those steps here.
This is my /etc/openvpn/server.conf:
dev tun0 tls-server # Certs and stuff dh dh1024.pem ca ca.crt cert server.crt key server.key # This file should be kept secret comp-lzo daemon proto udp # Detection of lost links and keeping NATted connections alive. persist-tun persist-key keepalive 10 60 verb 3 # The subnet to use for dynamically assigned clients. # The server will automatically take 10.1.0.1 for itself. # I do not use this but the server needs an IP-address. server 10.1.0.0 255.255.255.0 max-clients 10 port 1194 proto udp ifconfig-pool-persist ipp.txt push "dhcp-option DNS 188.8.131.52" # /etc/openvpn/clients has the config for the clients where i.e. you can add # routes for using the VPN. client-config-dir clients # allow the private net 10.1.2.0/24 to access the VPN # in my setup the laptop has 10.1.2.3 and creates a Point to point connection with a virtual 10.1.2.4. route 10.1.2.0 255.255.255.0 tls-auth ta.key 0 # This file is secret status openvpn-status.log log openvpn.log
You should now be able to start the openvpn daemon (/etc/init.d/openvpn start).
For my laptop I created the file /etc/openvpn/clients/laptop on the server with:
# laptop ifconfig-push 10.1.2.3 10.1.2.4 # colo net push "route 184.108.40.206 255.255.255.224"
The first line creates the virtual private tunnel between 10.1.2.3 (laptop) and 10.1.2.4 (server).
BTW: you do not see the IP-address 10.1.2.4 on the server side.
The route 220.127.116.11/27 is pushed over the VPN. The rest of my traffic on the client does not use the VPN.
Now it’s time to copy the four certificates (see above url) to the client and fill in the proper fields in your Network Manager on your client.
You should now be able to start the openvpn client and the clients ipconfig should have:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.1.2.3 P-t-P:10.1.2.4 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 .... ....
This all is pretty well documented. The hard part was getting it working with my iptables firewall.
I use shorewall and I wanted my vpn-traffic to be NATted (of course, it’s private space…) by my
external interface (eth0).
To do this I created /etc/shorewall/masq with:
eth0 10.1.0.0/23 18.104.22.168
Define your vpn zone in /etc/shorewall/zones:
Define your tun0 interface in /etc/shorewall/interfaces:
Define extra policies /etc/shorewall/policy
# allow traffice from vpn -> net (VERY important!!) vpn net ACCEPT # allow connections from vpn to fw and back vpn $FW ACCEPT $FW vpn ACCEPT
open the tunnel for my gateway in /etc/shorewall/tunnels
openvpn vpn 22.214.171.124
Finally create rules for udp and tcp for port 1194 (openvpn) coming from the net:
ACCEPT net $FW tcp 1194 ACCEPT net $FW udp 1194
the generated iptables for NATting should look like:
# iptables -L -n -t nat Chain POSTROUTING (policy ACCEPT) target prot opt source destination eth0_masq all -- 0.0.0.0/0 0.0.0.0/0 Chain eth0_masq (1 references) target prot opt source destination SNAT all -- 10.1.0.0/23 0.0.0.0/0 to:126.96.36.199
So you should now have a working openvpn setup!
Wherever which connection is made with my client (from any wifi or other internet connection) to 188.8.131.52/27 (see the “push route” earlier) my source IP-address will always be 10.1.2.3. This for example can be very handy to access your IMAP daemon with your IMAP-client like thunderbird. Also, if you run a mailserver you can relay mail for 10.1.2.3 for sending mail. You can push more routes or even route all your traffic over the VPN (using the option
push "redirect-gateway def1 bypass-dhcp"). So, much more scenario’s are possible because you always, at any location, have a fixed IP-address over a private and secure connection, that’s the whole idea and fun of it!
Tunnel 2: use ssh to access your internal network without opening port 22 on your modem and/or firewall
Suppose you have an internal (linux) client. You can open an ssh connection with an external
server a follows:
internal~$ ssh -R8822:localhost:22 user@external
(Tip: run this command in a screen session so you can detach and logout, keeping the command running)
You can now use this connection to connect from the external server to your internal client (becasue the existing connection is used you do not need to open your modem (or any other device and/or firewall which controls your incoming data) for port 22 (ssh).
So at the external host you do:
exrternal~$ ssh -p 8822 localhost
internal~$ Voila! 🙂