OpenVPN configuration

Home Page Forums Network Management ZeroShell OpenVPN configuration

This topic contains 0 replies, has 0 voices, and was last updated by  level323 11 years, 9 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #40592

    level323
    Member

    Hi there,

    I was wondering if I could get some help setting up LAN-LAN VPN via the OpenVPN server built into ZeroShell. I’ve been able to get it *mostly* working, but there’s some critical things I’m missing in order to get it working *right*.

    I’ve spent hours reading the ZeroShell and OpenVPN websites to try and work out how to solve these remaining issues, but I’ve hit a bit of a brick wall.

    The contributions from the ZeroShell website (“How to secure my private network” by Cristian Colombini and “HOWTO: WPA/WPA2 Enterprise Authentication” by Paul Taylor) were very helpful for general setup of ZeroShell but are not concerned with OpenVPN tunnels so are of no help either.

    I would be willing to collate the results of this thread into a mini-HOWTO for setting up OpenVPN that could be posted on the website for the general assistance of ZeroShell users.

    I wish to setup an OpenVPN link between my linux laptop (Ubuntu Edgy) and the ZeroShell firewall/router at my office, in order to gain access to the entire LAN behind the firewall at my office.

    Let’s say my Zeroshell office firewall is accessible on the internet at 91.91.91.91 (not the real address), which is on the Zeroshell interface PPP0 through ETH01.
    The office LAN subnet is 10.0.1.0/255.255.255.0. The ZeroShell firewall is on internal IP of 10.0.1.1 through ETH00.
    The remote location where I’m currently using my linux laptop is also behind a firewall in the 192.168.1.0/255.255.255.0 subnet.

    I’m using ZeroShell 1.0.beta4 (latest)

    The Zeroshell OpenVPN config is as below:
    Description: LPGMT VPN 1 UDP
    Remote Host: {blank}
    Remote X509 CN: {blank}
    Tunnel type: UDP
    Compression: Enabled
    Crypto: Enabled
    Connection: Server
    Parameters: –float –server-bridge 10.9.0.1 255.255.255.0 10.9.0.241 10.9.0.249
    ZeroShell assigned this VPN to network device ‘VPN00’. I presume that this device is a TAP device (from reading the ZeroShell website).

    Note: The –float parameter was put there merely to allow clients to connect from any IP (even dynamic IPs)
    Note2: I’ll explain the need for –server-bridge param later… see below.

    I have been able to successfully setup an OpenVPN tunnel between my linux laptop (running OpenVPN client) and my office firewall (running OpenVPN under ZeroShell). I know the link is working because:
    (1) The OpenVPN client on my linux laptop reports successful connection and stays up indefinitely, and the ZeroShell router (note that I do not need to specify the –server-bridge param on the server side for the link to be successful).
    (2) If I assign an IP of 10.9.0.1 to VPN00 (ie on the server side) and config the ZeroShell OpenVPN server with the –server-bridge param as mentioned above (and restart the OpenVPN client) I find that the tunnel is established and OpenVPN associates the tap0 device (on the client aka linux laptop) with IP 10.9.0.241 and brings up the tap0 interface. Then I can successfully ping 10.9.0.1 (the Zeroshell VPN server side) from my linux laptop (the client side) and get a response.

    Furthermore, if I instruct my linux laptop on how to reach the office LAN subnet via the Zeroshell VPN00 interface by adding a manual route on the client (linux laptop) side as follows:
    route add -net 10.0.1.0 gw 10.9.0.1 netmask 255.255.255.0
    then I can ping all the machines on my office LAN from my linux laptop sucessfully and even ssh into them as desired.

    “Great! Wonderful!” I hear you say… so what’s my problem?

    Well, what I have just explained is how I can get it *to* work, but as I understand it this is not how it *should* work.

    I’m pretty new to the intricacies of VPN’s, but my understanding is that the ZeroShell OpenVPN allows me to construct a *bridged* connection. My understanding of a bridged connection is that I should be able to setup an OpenVPN tunnel which should result in my client (linux laptop) being allocated an address in the 10.0.1.0/24 subnet, and that once this VPN connection is established my remotely connected linux laptop should appear to be connected to my office LAN just as if it were physically connected to a physical switch in the office.

    My example above works, but it is effectively a *routed* connection, not a *bridged* connection. This has limitations, including:
    * My remote linux client won’t receive broadcasts initiated on the office LAN
    * My remote linux client can’t interact with non-IP protocols (NetBios etc) initiated from the office LAN.

    My understanding is that ZeroShell’s OpenVPN subsystem is designed (and configured) for bridged connections, but so far the only way I can get a working connection is to use the routed approach as mentioned above, which has the disadvantages I just listed.

    I have tried many different approaches to get a bridged connection working, as described below:

    1. Configure the ZeroShell OpenVPN server with params:
    * –float –server-bridge 10.0.1.1 255.255.255.0 10.0.1.241 10.0.1.249
    and on the ZeroShell (server side):
    * Do not assign any IP address to VPN00
    This successfully allocates and brings up tap0 on the linux laptop (client side) with an IP address in the same subnet as the office LAN, however with this configuration I can’t reach any machines on the office LAN (presumably because the VPN00 device on the ZeroShell (server) side is not configured as to where to send these packets. I can see my ping requests going down the VPN tunnel, but nothing coming back.

    2. Configure the ZeroShell OpenVPN server with params:
    * –float –server-bridge 10.0.1.1 255.255.255.0 10.0.1.241 10.0.1.249
    and on the ZeroShell (server side):
    * Do not assign any IP address to VPN00
    * Create a BRIDGE between VPN00 and ETH00 on the ZeroShell via the ZeroShell web-based admin interface.
    To my understanding, this should be the correct recipe, as it will cause ethernet packets moving through the tunnel to be connected to the LAN side of the ZeroShell firewall.
    This configuration, however, seems to have dramatic consequences – it causes a major problem with the routing mechanisms on the Zeroshell firewall:
    * Users on the office LAN can no longer access the internet through the firewall
    * Although I can still access the Zeroshell web admin console from my remote linux laptop, I can’t access any virtual servers (such as an SSH server behind the firewall, which was previously setup and reachable before setting up the bridge).

    So my request to you, dear readers, is for assistance in getting this (largely undocumented but extremely powerful) aspect of Zeroshell working properly as a VPN bridge.

    Apologies in advance for my lack of understanding of VPN’s and networking principles, but bear with me – I’m a fast learner (and an Engineer).

    As already mentioned, I am willing to compile the results of this thread in a mini-howto for setting up OpenVPN connections under Zeroshell, in return for getting a bridged VPN working through the interchanges on this thread.

    Finally, many thanks to Fulvio et al for a fantastic piece of software. Once I can get this part working I will be 100% happy with ZeroShell.

    Many thanks,

    John

    #45267

    imported_fulvio
    Participant

    @level323 wrote:

    2. Configure the ZeroShell OpenVPN server with params:
    * –float –server-bridge 10.0.1.1 255.255.255.0 10.0.1.241 10.0.1.249
    and on the ZeroShell (server side):
    * Do not assign any IP address to VPN00
    * Create a BRIDGE between VPN00 and ETH00 on the ZeroShell via the ZeroShell web-based admin interface.
    To my understanding, this should be the correct recipe, as it will cause ethernet packets moving through the tunnel to be connected to the LAN side of the ZeroShell firewall……

    This is the right approach, but there is only a problem:
    when you include the ETH00 in the BRIDGE00 interface, the IP address 10.0.1.1 does not automatically migrate from the ETH00 to the BRIDGE00 and hence you lose the connectivity. You can solve the issue by using the console to create the bridge (read the FAQ http://www.zeroshell.net/eng/faq/network/#net.faq4) or adding the IP 10.0.1.1 to the BRIDGE00 interface if you are able to contact the web GUI of Zeroshell from another interface. In any case, you don’t need to use the OpenVPN parameter
    –server-bridge 10.0.1.1 255.255.255.0 10.0.1.241 10.0.1.249

    Regards
    Fulvio

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.