Sebastian Mogilowskis Blog

Just another blog about administration, linux and other stuff

Debian Router Installation – Part 3 (VPN)

This article describes, how you install a OpenVPN server with 2 subnets with pre-shared key authentication on Debian Etch:

The base for the VPN server is the Debian Router.

The router has already 2 networks, so i don’t want to create one for the VPN. With the bridging mode you can connect the clients into an existing network. This works over an ethernettunnel.

Installation:

aptitude install openvpn bridge-utils iproute openssl

The first step is to create the pre-shared key with openssl:

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0

. ./vars 
./clean-all 
./build-ca 

./build-key-server server 
./build-key vpnclient 
./build-dh 

mv keys /etc/openvpn/

You have to copy the files ca.crt, vpnclient.key and vpnclient.crt to the VPN client.

The next step is to create the bridging interface for the ethernet bridge. You have to insert this lines in /etc/network/interfaces.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# VPN Bridge 
auto br0 
iface br0 inet static 
        address 192.168.0.1 
        netmask 255.255.255.0 
        pre-up /usr/sbin/openvpn --mktun --dev tap0 
        pre-up /sbin/ip link set tap0 up 
        pre-up /sbin/ip link set eth1 up 
        pre-up /usr/sbin/brctl addbr br0 
        pre-up /usr/sbin/brctl addif br0 eth1 
        pre-up /usr/sbin/brctl addif br0 tap0 
        pre-up /sbin/ifconfig eth1 0.0.0.0 promisc up 
        pre-down /usr/sbin/brctl delif br0 eth1 
        pre-down /sbin/ip link set eth1 down 
        pre-down /usr/sbin/brctl delif br0 tap0 
        pre-down /sbin/ip link set tap0 down 
        post-down /usr/sbin/brctl delbr br0 
        post-down /usr/sbin/openvpn --rmtun --dev tap0

192.168.0.1 is the address of the interface in which subnet you want connect your vpn clients. The bridging interface take the network adress from eth1 and an tap0 device for the OpenVPN is created. According to your personal configuration, you have to change the interface (eth1) the network address and the netmask.

Note: You have to configurate your firewall for the new interfaces.

iptables -A INPUT   -i tap0 -j ACCEPT
iptables -A INPUT   -i br0  -j ACCEPT
iptables -A OUTPUT  -i tab0 -j ACCEPT
iptables -A OUTPUT  -i br0  -j ACCEPT
iptables -A FORWARD -i tap0 -j ACCEPT
iptables -A FORWARD -i br0  -j ACCEPT

Now you can configurate the VPN server. You can use the default configuration file and copy it into the Open VPN folder.

cd /usr/share/doc/openvpn/examples/sample-config-files
gzip -d server.conf.gz
cp server.conf /etc/openvpn/networkVPN.conf

Now you can modify the configuration file:

dev tap
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pm
server-bridge 192.168.0.1 255.255.255.0 192.168.0.201 192.168.0.250
client-to-client
push "redirect-gateway"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DEFAULT_GATEWAY 192.168.0.1"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DOMAIN network.lan"
push "dhcp-option WINS 192.168.0.1"

You have to replace “dev tun” with “dev tap” and the “server” configuration with the “server-bridge” configuration line and you have to allow the OpenVPN port 1194 UDP in your firewall.

Restart the OpenVPN server:

/etc/init.d/openvpn start

Now your VPN server is ready. You can setup the VPN client on Ubuntu with an networkmanager plugin.
Note: If you don’t want to create keys for every client, you have to enable “duplicate-cn” in the server configuration.

, , , ,

One thought on “Debian Router Installation – Part 3 (VPN)

  • Noby says:

    Ich denke, dass du die openVPN konfiguration so nicht im Router hast. In der networkVPN.conf Datei sollte statt “dev tap” ein “dev tap0” stehen, da ansonsten beim Start des openVPN Daemons ein neues Device (tap1) angelegt wird.

Leave a Reply to Noby Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.