I always get into a muddle when I try to set up VPN connections but I'm going to have another go..
What I have is lots of Linux "devices" (typically ARM boxes running Debian) which will be plugged into networks giving them Internet access.
What I want to achieve is to have them auto-connect to a VPN, such that I am able to access all of them, but also that the end user can connect to their own devices but nobody elses. Ideally I'd also like other VPN capable devices, such as Draytek routers, to be able to join in the party.
My starting point - which may well be wrong, is to assume that I want a server running OpenVPN somewhere on t' Internet. (Is that the right place to start?) I find the OpenVPN documentation to be very detailed but hard to narrow it down to any particular usage case unless it's a standard config (eg "road warrier").
What I don't want at my end is to *have* to connect separately to each VPN. Doing so optionally would be good (but would be possible in the same way an extra device could), but it could be I end up with dozens or hundreds of separate segregated VPNs. Furthermore, it's likely that I will want all of the VPNs to have access to certain facilities (eg databases, FTP) on other servers without having to make the other servers join multiple VPNs.
On 2012-06-01 10:09, Mark Rogers wrote:
I always get into a muddle when I try to set up VPN connections but I'm going to have another go..
What I have is lots of Linux "devices" (typically ARM boxes running Debian) which will be plugged into networks giving them Internet access.
What I want to achieve is to have them auto-connect to a VPN, such that I am able to access all of them, but also that the end user can connect to their own devices but nobody elses. Ideally I'd also like other VPN capable devices, such as Draytek routers, to be able to join in the party.
I don't know whether Draytek routers will connect to an OpenVPN server - you may have to be a little more clever to make this work. In the past I have had my openvpn server establish vpns directly out to vpn-capable devices (I would connect to openvpn on a VPS server for "roadwarrior" type remote access, and that server itself would establish IPSec VPN connections to my DSL router at home)
My starting point - which may well be wrong, is to assume that I want a server running OpenVPN somewhere on t' Internet. (Is that the right place to start?) I find the OpenVPN documentation to be very detailed but hard to narrow it down to any particular usage case unless it's a standard config (eg "road
warrier").
I do something similar with my various internet-connected devices and connect back to a "hub" OpenVPN server running on a small VPS out there in the interwebs.
This works well for me, I install the relevant key files on each of my devices (linux/windows laptops and desktops, android devices etc) and configure openvpn to start automatically at boot and connect to the server.
What I don't want at my end is to *have* to connect separately to each VPN. Doing so optionally would be good (but would be possible in the same way an extra device could), but it could be I end up with dozens or hundreds of separate segregated VPNs. Furthermore, it's likely that I will want all of the VPNs to have access to certain facilities (eg databases, FTP) on other servers without having to make the other servers join multiple VPNs.
The server config is set to permit connectivity between client machines, and I reserve individual addresses for those devices which I might need to connect to remotely.
Hope this helps,
Jim
========== config file follows =========
# server.conf openvpn configuration file # # # This will become our network interface dev tap10
# We want to use tcp on port 8200 proto tcp port 8200
# Bind to eth0 local server.public.fqdn.org.uk
# Set ourselves up as a server mode server server 10.10.10.0 255.255.255.0
# here will live our status information status /tmp/openvpn-server.status
# These are our settings for authentication and connectivity keepalive 10 30 client-to-client max-clients 5 log-append /var/log/openvpn/server.local verb 3 ifconfig-pool-persist server-ipp.txt client-config-dir /etc/openvpn/server/ccd client-connect /etc/openvpn/server/client-connect.sh
# Push routes push "route 192.168.0.0 255.255.255.0" push "route 192.168.1.0 255.255.255.0"
# here we configure our PKI tls-auth /etc/openvpn/server/ta.key 0 tls-server dh /etc/openvpn/server/dh1024.pem ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/public.crt key /etc/openvpn/server/private.key comp-lzo
# User and group settings user openvpn group openvpn
# Keep alive stuff persist-key persist-tun
On 01/06/12 11:11, Jim Rippon wrote:
I don't know whether Draytek routers will connect to an OpenVPN server - you may have to be a little more clever to make this work. In the past I have had my openvpn server establish vpns directly out to vpn-capable devices (I would connect to openvpn on a VPS server for "roadwarrior" type remote access, and that server itself would establish IPSec VPN connections to my DSL router at home)
From your experience (hindsight), I assume OpenVPN remains the best solution (rather than using something IPSec based at the server to do the whole job?)
I do something similar with my various internet-connected devices and connect back to a "hub" OpenVPN server running on a small VPS out there in the interwebs.
That's pretty much the model I'm going for.
This works well for me, I install the relevant key files on each of my devices (linux/windows laptops and desktops, android devices etc) and configure openvpn to start automatically at boot and connect to the server.
How do you manage the key file and configuration creation? (Is it sufficiently small numbers that you just do it manually?) Ie, what steps do you have to go through when you need to add a new device to the system?
The server config is set to permit connectivity between client machines, and I reserve individual addresses for those devices which I might need to connect to remotely.
I'm not sure I quite understand this bit. I need to control access between different client machines - groups of devices from the same end user should talk to each other, but others shouldn't. Actually that's not quite true: there's no benefit to the individual devices talking to each other, what I need is to be able to create a client connection for a human to access all their own devices web interfaces. Is this what you do or are you able to just allow all of the devices to connect to each other?
Looking at your config I think you do have multiple groups on different subnets, is that right?
Hope this helps,
It certainly does, thanks.
On 01/06/12 11:11, Jim Rippon wrote:
I don't know whether Draytek routers will connect to an OpenVPN
server - you
may have to be a little more clever to make this work. In the past
I have had
my openvpn server establish vpns directly out to vpn-capable
devices (I would
connect to openvpn on a VPS server for "roadwarrior" type remote
access, and
that server itself would establish IPSec VPN connections to my DSL
router at home)
From your experience (hindsight), I assume OpenVPN remains the best solution (rather than using something IPSec based at the server to do the whole job?)
For what I do, I would stick with OpenVPN, it works well and I can connect to it from behind NAT firewalls and have the flexibility to enable it on port numbers that mean I can make use from places with restrictive access control such as hotel wifi etc.
I do something similar with my various internet-connected devices
and
connect back to a "hub" OpenVPN server running on a small VPS out
there in the interwebs.
That's pretty much the model I'm going for.
This works well for me, I install the relevant key files on each of
my
devices (linux/windows laptops and desktops, android devices etc)
and
configure openvpn to start automatically at boot and connect to the
server.
How do you manage the key file and configuration creation? (Is it sufficiently small numbers that you just do it manually?) Ie, what steps do you have to go through when you need to add a new device to the system?
In my case (i only have 5 remote devices, hence the "max-clients 5" option) I do this by hand using the scripts included with OpenVPN to create a signing CA and generate signed certificates, that I then pull across a trusted SSH session and distribute using encrypted USB keys to the relevant client systems where appropriate.
The server config is set to permit connectivity between client
machines, and
I reserve individual addresses for those devices which I might need
to connect to remotely.
I'm not sure I quite understand this bit. I need to control access between different client machines
- groups of devices from the same end user should talk to each other,
but others shouldn't. Actually that's not quite true: there's no benefit to the individual devices talking to each other, what I need is to be able to create a client connection for a human to access all their own devices web interfaces. Is this what you do or are you able to just allow all of the devices to connect to each other?
My client machines are allocated an IP address on the 10.10.10.0/24 subnet (the "mode server" and "server 10.10.10.0 255.255.255.0" config lines), and are permitted connect to each other on that network (the "client-to-client" config line) through the OpenVPN tunnel. When a client connects, it also gets a static route added to its local routing table to the "192.168.0.0/24" and "192.168.1.0/24" networks via the OpenVPN server itself. Traffic to these networks then traverses IPSec VPN tunnels to remote networks from the OpenVPN server, which in my configuration is simply forwarding the packets, but could be configured to NAT or do further interesting things.
Looking at your config I think you do have multiple groups on different subnets, is that right?
I presume this is because of the "push" options that are providing routes to the clients? No, OpenVPN has a single subnet from which clients are assigned IP addresses (with reservations being stored in the "ifconfig-pool-persist" file "/etc/openvpn/server-ipp.txt" in my case)
HTH,
Jim
If you're looking at running a server or virtual server as the central VPN endpoint, you might want to look at running something like Vyatta on it. Vyatta is a Debian based router distro with a nice CLI that lets you configure everything in one place (routing, VPNs, NAT, etc)
Matt
-----Original Message----- From: main-bounces@lists.alug.org.uk [mailto:main-bounces@lists.alug.org.uk] On Behalf Of Mark Rogers Sent: 01 June 2012 10:09 To: ALUG - mailing list Subject: [ALUG] Multi-VPN configuration
I always get into a muddle when I try to set up VPN connections but I'm going to have another go..
What I have is lots of Linux "devices" (typically ARM boxes running Debian) which will be plugged into networks giving them Internet access.
What I want to achieve is to have them auto-connect to a VPN, such that I am
able to access all of them, but also that the end user can connect to their own devices but nobody elses. Ideally I'd also like other VPN capable devices, such as Draytek routers, to be able to join in the party.
My starting point - which may well be wrong, is to assume that I want a server running OpenVPN somewhere on t' Internet. (Is that the right place to start?) I find the OpenVPN documentation to be very detailed but hard to narrow it down to any particular usage case unless it's a standard config (eg "road warrier").
What I don't want at my end is to *have* to connect separately to each VPN. Doing so optionally would be good (but would be possible in the same way an extra device could), but it could be I end up with dozens or hundreds of separate segregated VPNs. Furthermore, it's likely that I will want all of the VPNs to have access to certain facilities (eg databases, FTP) on other servers without having to make the other servers join multiple VPNs.
On 2 June 2012 14:48, Matthew Green matthew.j.green@ntlworld.com wrote:
If you're looking at running a server or virtual server as the central VPN endpoint, you might want to look at running something like Vyatta on it. Vyatta is a Debian based router distro with a nice CLI that lets you configure everything in one place (routing, VPNs, NAT, etc)
Thanks for that, I'll take a look.
-
Jim Rippon -
Mark Rogers -
Matthew Green