KnightOrc's Blog

I had the fun of learning and implementing an OpenVPN solution recently and it was much simpler than you would have probably guessed. Since I was using SuSE 10 as my remote server I followed the fairly comprehensive OpenVPN on SuSE 10.0 guide. I modified the OpenVPN config files from the examples given to use the ones (tls-office.conf and tls-home.conf) from the OpenVPN distribution with my own tweaks.

Here are the options I changed in tls-office.conf:

local your.interface.ip.here ; The IP of the interface that you will be accepting OpenVPN connection on

ifconfig 192.168.0.1 192.168.0.2 ; You can define your own range, I just chose this private one
server 192.168.0.0 255.255.255.0 ; Use a pool of IPs so you can connect with multiple clients

push “redirect-gateway def1″ ; Handy if you need to keep access to your local network, splits the default route definition

push “dhcp-option DNS dns.server1.ip.here” ; Define these unless your local system can already reach working DNS servers
push “dhcp-option DNS dns.server2.ip.here”
comp-lzo ; Add compression

link-mtu 1542 ; Lower the MTU for the encapsulation overhead
And the changes made to tls-home.conf (renamed to tls-home.ovpn for the OpenVPN for Windows client):

remote openvpn.server.ip.here ; The same IP as you defined in tls-office.conf as local

nobind ; Use this unless you need a specific outbound port

proto udp ; Default, if you need to use tcp then define proto tcp-client instead

pull ; A mistake I made, those push commands don’t work without it.

comp lzo ; Has to be defined on both sides

ping 15 ; And these since you can’t rely on your connection
ping-restart 45
ping-timer-rem
persist-tun
persist-key

Following the guide and the modifications above you can connect to your OpenVPN server easily, now we have to add some masquerading to our remote server. I took most of the details from the Masquerading Made Simple HOWTO. The configuration below is for a system with two ethernet interfaces, one on a private network and the other on a public network.

modprobe ipt_MASQUERADE # If the module isn’t already loaded
iptables -F; iptables -t nat -F; iptables -t mangle -F # flush the tables and prep NAT support

echo 1 > /proc/sys/net/ipv4/ip_forward ; To switch ip forwarding on

iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE ; substitute the IP and interface as needed for your situation, only MASQ packets from your OpenVPN virtual network IPs.
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT ; They should be packets we already know about

Similarly you can do this on a system with a single public interface:

iptables -A INPUT –protocol tcp –dport 22 -j ACCEPT
iptables -A INPUT –protocol tcp –dport 443 -j ACCEPT

; Only allowing SSH and my OpenVPN port, using the HTTPS tcp port in this configuration

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

; Same as previous configuration above

iptables -A INPUT -m state –state NEW -i ! eth1 -j ACCEPT
iptables -P INPUT DROP
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

; We don’t forward packets coming in from eth1, all our masquerading packets only come from tun0

Please feel free to point out any extra precautions or missing rules.