Connecting two networks with OpenVPN on Ubuntu

Either the IPsec client I've been using to connect to the Zenoss colo or the VPN server on the other end kills my connection every twenty-five minutes. We've got an OpenVPN server running at the colo as well, and that connection's been much more stable. Since I have multiple boxes here that I'd like to have colo access, I decided to try to connect the two networks semi-permanently, as a fun weekend project. It actually turned out to take around two hours.

  1. Set up the VPN connection. This ended up being very, very easy. My nameserver VM (IP: 10.42.1.2) was hardly overtaxed, so I decided to use that as the VPN gateway. First, I installed OpenVPN:
    ian@tryphon$ sudo apt-get install openvpn

    I already had an OpenVPN config, which I'd been using (via TunnelBlick) to connect to the OpenVPN server at the colo. I dumped that, along with the necessary keys and whatnot, into /etc/openvpn, and fired up the connection:
    ian@tryphon$ sudo /etc/init.d/openvpn start zenoss
    * Starting virtual private network daemon.
    * zenoss (OK)
    ...done.

    Then I verified connectivity by pinging a server at the colo:
    ian@tryphon:/etc/openvpn$ ping 10.175.211.10
    PING 10.175.211.10 (10.175.211.10) 56(84) bytes of data.
    64 bytes from 10.175.211.10: icmp_seq=1 ttl=62 time=52.5 ms
    64 bytes from 10.175.211.10: icmp_seq=2 ttl=62 time=48.1 ms

    --- 10.175.211.10 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 48.150/50.338/52.527/2.199 ms


  2. Route colo traffic through the gateway. This was the only tricky part, mostly (I think) because my understanding of IP routing is nonexistent to limited, which is why I thought this would be a fun project in the first place.

    I should mention here that the <code>zenoss.conf</code> file I had sets routes appropriately (obviously, or step 1 wouldn't have worked):
    ian@tryphon$ netstat -rn
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    10.254.0.1 10.254.0.9 255.255.255.255 UGH 0 0 0 tun0
    10.254.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    10.175.211.0 10.254.0.9 255.255.255.0 UG 0 0 0 tun0
    10.42.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    0.0.0.0 10.42.1.1 0.0.0.0 UG 0 0 0 eth0

    So I just needed to get the rest of the network to use that connection.

    First, I added a static route on my router, sending 10.175.211.0/24 traffic to my VPN box (user interfaces will vary, of course; mine's a Linksys with the default firmware. dd-wrt won't work on my router, which causes me no end of annoyance, but that's another story):

    That gets me to the box but not out through the VPN. Next I needed to enable IP forwarding on the VPN box:
    ian@tryphon$ sudo su -
    root@tryphon# echo 1 > /proc/sys/net/ipv4/ip_forward
    root@tryphon# echo "net.ipv4.ip_forward=1" > /etc/sysctl.conf
    root@tryphon# sysctl net.ipv4.ip_forward=1

    I don't know if the first line is necessary given the sysctl stuff, but The Web seemed to think it was the way to go, and it didn't break anything. People who understand this stuff better may educate me if they so wish.

    I got to this point, and it wasn't working. I don't fully understand why, but comments from a co-worker led me to investigate how to tell the box to which interface it should forward things. Googling around led me to try installing iptables and adding a rule:
    ian@tryphon$ sudo apt-get install iptables
    ...
    ian@tryphon$ sudo /sbin/iptables -A FORWARD -i tun0 -j ACCEPT

    This worked! From anywhere on my network, I was able to ping the colo. Hooray! In order to get it to work on boot, I added the above command to /etc/rc.local

  3. Use the remote nameserver. This was simple. Since I'm already running BIND locally, I just added a forwarder to /etc/bind/named.conf.local:
    zone "zenoss.loc" IN {
    type forward;
    forwarders {10.175.211.10;};
    };

    Restarted BIND, and all was well.

    Oh, I had to add zenoss.loc to the search line of /etc/resolv.conf. I have yet to find a good way around that, though I'm certain one exists. I may move DHCP from my router to that box, so I can specify more search domains.

1 comments

  • alex smith  
    February 15, 2009 at 11:31 AM

    I actually heard about logs kept by isp and I didnt want to be under the eye of "Big Brother" so I searched on google and found you. Happy that i did. Using vpn has put my mind at ease. Your server has gone down once or twice but that was just a temporary hardware glitch as you put it.

Post a Comment