Connecting two networks with OpenVPN on Ubuntu
Either the IPsec client I've been using to connect to the Zenoss colo or the VPN server on the other end kills my connection every twenty-five minutes. We've got an OpenVPN server running at the colo as well, and that connection's been much more stable. Since I have multiple boxes here that I'd like to have colo access, I decided to try to connect the two networks semi-permanently, as a fun weekend project. It actually turned out to take around two hours.ian@tryphon$ sudo apt-get install openvpn
I already had an OpenVPN config, which I'd been using (via TunnelBlick) to connect to the OpenVPN server at the colo. I dumped that, along with the necessary keys and whatnot, into /etc/openvpn, and fired up the connection:ian@tryphon$ sudo /etc/init.d/openvpn start zenoss
* Starting virtual private network daemon.
* zenoss (OK)
...done.
Then I verified connectivity by pinging a server at the colo:ian@tryphon:/etc/openvpn$ ping 10.175.211.10
PING 10.175.211.10 (10.175.211.10) 56(84) bytes of data.
64 bytes from 10.175.211.10: icmp_seq=1 ttl=62 time=52.5 ms
64 bytes from 10.175.211.10: icmp_seq=2 ttl=62 time=48.1 ms
--- 10.175.211.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 48.150/50.338/52.527/2.199 ms
I should mention here that the <code>zenoss.conf</code> file I had sets routes appropriately (obviously, or step 1 wouldn't have worked):ian@tryphon$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.254.0.1 10.254.0.9 255.255.255.255 UGH 0 0 0 tun0
10.254.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.175.211.0 10.254.0.9 255.255.255.0 UG 0 0 0 tun0
10.42.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 10.42.1.1 0.0.0.0 UG 0 0 0 eth0
So I just needed to get the rest of the network to use that connection.
First, I added a static route on my router, sending 10.175.211.0/24 traffic to my VPN box (user interfaces will vary, of course; mine's a Linksys with the default firmware. dd-wrt won't work on my router, which causes me no end of annoyance, but that's another story):
That gets me to the box but not out through the VPN. Next I needed to enable IP forwarding on the VPN box:ian@tryphon$ sudo su -root@tryphon# echo 1 > /proc/sys/net/ipv4/ip_forward
root@tryphon# echo "net.ipv4.ip_forward=1" > /etc/sysctl.conf
root@tryphon# sysctl net.ipv4.ip_forward=1
I don't know if the first line is necessary given the sysctl stuff, but The Web seemed to think it was the way to go, and it didn't break anything. People who understand this stuff better may educate me if they so wish.
I got to this point, and it wasn't working. I don't fully understand why, but comments from a co-worker led me to investigate how to tell the box to which interface it should forward things. Googling around led me to try installing iptables and adding a rule:ian@tryphon$ sudo apt-get install iptables
...
ian@tryphon$ sudo /sbin/iptables -A FORWARD -i tun0 -j ACCEPT
This worked! From anywhere on my network, I was able to ping the colo. Hooray! In order to get it to work on boot, I added the above command to /etc/rc.local/etc/bind/named.conf.local:zone "zenoss.loc" IN {
type forward;
forwarders {10.175.211.10;};
};
Restarted BIND, and all was well.
Oh, I had to add zenoss.loc to the search line of /etc/resolv.conf. I have yet to find a good way around that, though I'm certain one exists. I may move DHCP from my router to that box, so I can specify more search domains.
February 15, 2009 at 11:31 AM
I actually heard about logs kept by isp and I didnt want to be under the eye of "Big Brother" so I searched on google and found you. Happy that i did. Using vpn has put my mind at ease. Your server has gone down once or twice but that was just a temporary hardware glitch as you put it.