I'm going to use an OpenVPN based Ethernet bridge to allow me to connect to my home LAN via the Internet when I'm away from home.
First install the openvpn, bridge-utils (for the Ethernet bridge) and openssl (to generate certificates) packages
fileserver:~# apt-get install openvpn bridge-utils openssl
The /etc/init.d/openvpn script that comes with the package is far to complicated for me to understand/need so I replaced it with a simpler one (copied the original one to /etc/init.d/openvpn.orig)
#! /bin/sh
# /etc/init.d/openvpn
## Carry out specific functions when asked to by the system
case "$1" in
start)
echo "Starting openvpn server"
openvpn --config /etc/openvpn/simple.conf
;;
stop)
echo "Stopping openvpn server"
killall openvpn
;;
*)
echo "Usage: /etc/init.d/openvpn {start|stop}"
exit 1
;;
esacexit 0
To use the killall command, I had to install the psutils package.
To make the bridge between the tap device and the physical ethernet port, I edited the edit /etc/network/interfaces to -
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).# The loopback network interface
auto lo
iface lo inet loopback# The primary network interface
#allow-hotplug eth0
auto eth0
iface eth0 inet static
address 0.0.0.0
netmask 255.255.255.0auto tap0
iface tap0 inet static
address 0.0.0.0
netmask 255.255.255.0
pre-up /usr/sbin/openvpn --mktun --dev tap0auto br0
iface br0 inet dhcp
hostname fileserver
bridge_ports eth0 tap0
Generating the required certificates is as described in openVPN HOWTOs. The easy-rsa directory was at /usr/share/doc/openvpn/examples/easy-rsa/2.0. I copied this to /etc/openvpn and worked there. At the end of the process I copied the files needed on the server to /etc/openvpn -
/etc/openvpn/ca.crt
/etc/openvpn/server.crt
/etc/openvpn/server.key
/etc/openvpn/dh1024.pem
The files needed on the client are -
ca.crt
client.crt
client.key
The openVPN server configuration file /etc/openvpn/simple.conf is -
dev tap0
server-bridge 192.168.2.1 255.255.255.0 192.168.2.101 192.168.2.110
user nobody
persist-key
persist-tun
proto udp
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
daemon
This will allow up to 10 clients to connect which will be given IP addresses from 192.168.2.101 to 192.168.2.110 on the home LAN. Note 192.168.2.1 is the IP address of the home LAN router.
Finally, I needed to forward TCP and UDP ports 1194 on the WAN side of my internet firewall to the fileserver IP address 192.168.1.18.
My first client is the my windows laptop running OpenVPN GUI for Windows. The client config file is -
client
dev tap
proto udpremote flabby.is-a-geek.com 1194
nobind
persist-key
persist-tunmute-replay-warnings
ns-cert-type server
verb 3
ca "ca.crt"
key "client.key"
cert "client.crt"float
OK
No comments:
Post a Comment