OpenVPN setup; many clients to one server and LAN
2006-05-23 00:30:18
I used OpenVPN about 2 years ago to connect our US development office with our engineering lab in Bangalore, India. Unfortunately, the dual-site development thing didn't work out, and I haven't used OpenVPN since. But recently I was faced with creating a secure yet inexpensive (read: free) remote access solution for my wife's medical practice. The doctors are, shall we say, not major computer geeks. So an ssh tunneling system, while it would work, would be too difficult to explain, and be too prone to human error.
I remembered OpenVPN, and thought it might work well. I was heartened to see that OpenVPN now has a bunch of GUI clients, which will make setup a lot easier.
First, I had to set up port forwarding from the Linksys router to the Linux server where I would run the OpenVPN server. This was a simple matter of setting port 1194 to forward from the internet to the internal IP address of the Linux server. Ideally, I would have made the internal network of the office something that would not collide with common home routers (usually 192.168.x.x). But the office net was already set up as 192.168.1.x, so I'm going to have to work around that by changing people's home routers to be something else.
Once that was done, I built openvpn from source, installed on the linux machine and created a local certificate authority. The OpenVPN documentation and scripting in this area has greatly improved in the last two years.
In the server.conf, I enabled the TUN device only, since I'm only dealing with IP protocols. Aside from that, the interesting parts of the server.conf were:
# I picked 10.68.0.0/24 as my VPN subnet, since it is unlikely to collide # with anything. server 10.68.0.0 255.255.255.0 # allow clients to see the rest of the office subnet push "route 192.168.1.0 255.255.255.0"
Then I created client config files that match. Interesting parts of the the client.conf:
# this is the outside address of the office remote office.example.com 1194 # these are the key files. I call them the same thing on all # client machines; I then give each doc a different client key and cert ca ca.crt cert client.crt key client.key
I used both the OpenVPN GUIs for Macintosh and Windows. They worked great except for one problem: the clients could only see the openvpn server machine and nothing else on the office subnet. I knew it was a routing problem, but I couldn't figure out what.
First I had to put a route on the office Linksys router, so that machines on the subnet would route packets for 10.68/24 to the openvpn server, instead of out the internet. I figured I was home free once I saw that you could actually do this on the linksys.
But no! Packets dropped into the void somewhere between the clients and the LAN machines. I did some more reading of the doc, and found the missing link. And a little light flicked on in my dim noggin. This was the same (and final) problem I had struggled with two years ago. To wit, on the server I needed:
echo 1 > /proc/sys/net/ipv4/ip_forward
Once IP forwarding was enabled, everything worked like a charm.