# Gentoo Firewall/Router and VPN

## Eightpock

Hello Everyone, 

   I have 2 locations both have a Gentoo (IPtables) firewall and for ease I was wanting to setup a VPN so that all machines regardless of location can access each other with an internal address.. I know speed wise I'd still be bottlenecked by the internet but doing backups and stuff would be easier over a VPN believe.

Example

Home Network:

IP Range: 192.168.0.x

Remote Network:

192.168.1.x

I've done some googling, but i don't know enough about VPNs to decide what to use.. I'm pretty familiar with Gentoo

Any advice would be great.

Thanks,

Pock

----------

## Januszzz

Use openvpn - setup is easy, there are plenty howto over her (this forum) but you may also take "native" one from here http://openvpn.net/howto.html

It just works after install and I must say this is the most reliable server I ever used.

Janusz.

----------

## Eightpock

Januszzz,

 Thanks for the reply! So this would be that the only software installs would be between the 2 Gentoo Routers?

Thanks again.

----------

## Januszzz

Yes, you don't need nothing else. Just configure the service, start it and enjoy your new secure tunnel.

Janusz.

----------

## Eightpock

Hello Again

  What about client machines connecting to the Gentoo Router at the remote site? Will they need to use any special VPN software to utilize the VPN created between the 2 Gentoo Routers?

Forgive it these questions seem repetitive, Been doing some reading and I constantly hear about VPN Client software..

Thanks

----------

## think4urs11

on both sides an OpenVPN server is needed, no additional instances

now to get 192.168.0.x<-->OpenVPN-Server<==>VPN-Tunnel<==>OpenVPN-Server<-->192.168.1.y working you need to setup

1) a (routed) VPN between the two servers

2) read http://openvpn.net/howto.html#scope

you need the paragraphs

a) Including multiple machines on the server side when using a routed VPN

b) Including multiple machines on the client side when using a routed VPN

----------

## Hu

 *Eightpock wrote:*   

> Been doing some reading and I constantly hear about VPN Client software..
> 
> 

 

These references are probably assuming that a single system is joining the VPN, in which case that lone system could be considered a "client" since it is joining only for the benefit of itself.  In your case, you are joining one system at each end, but they are joined for the benefit of servicing many other machines, rather than only for themselves.

----------

## Eightpock

Hey All. 

Thanks for all the great replies.  I appreciate it greatly. I am still struggling although I've had alot of progress.

Network 1

192.168.0.x 255.255.255.0   (Firewall and VPN Server 192.168.0.1)

Network 2

192.168.1.x 255.255.255.0   (Firewall and VPN Server 192.168.1.1)

The Virutal Private Network created with tun between the two servers is 10.8.0.x

My goal when starting this whole thing was to be able to get a workstation on Network 1 to access a Workstation on Network 2 by an internal address and vice versa. I did the scope thing on the VPN howto site but it didn't produce this result. 

192.168.1.1 Server/Firewall can access apache running on 192.168.0.6 but a workstation running behind 192.168.1.1 can't access it. 

From 192.168.1.1 I can ping all workstations behind the 192.168.0.1 range

But from 192.168.0.1 I can't ping workstations behind 192.168.1.1

Workstations behind these servers can not ping workstations on the opposite end. 

Hopefully I was able to explain this. I can paste any conf files needed to determine the problem.

And Thanks again for the replies. 

Pock

----------

## Hu

Please run ip addr ; ip route ; iptables-save -c ; echo ; cat /proc/sys/net/ipv4/ip_forward on both VPN servers and post the output here.  Use separate code blocks so we can identify which set of output corresponds to which server.  Also, please post any non-sensitive parts of the OpenVPN configuration file for each side.

----------

## Eightpock

Network 1

 *Quote:*   

>  ip addr ; ip route ; iptables-save -c ; echo ; cat /proc/sys/net/i                                                                                                  pv4/ip_forward
> 
> 1: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
> 
>     link/ether 00:03:47:f8:55:a8 brd ff:ff:ff:ff:ff:ff
> ...

 

Network 2

 *Quote:*   

> ip addr ; ip route ; iptables-save -c ; echo ; cat /proc/sy                                                                                                  s/net/ipv4/ip_forward
> 
> -bash: ip: command not found
> 
> -bash: ip: command not found
> ...

 

The only thing for the conf files I have added that varied from the samples were the ccd (Which I renamed) directory for the iroute thing, and the client to client thing server side. 

network 1 Server side

 *Quote:*   

> # EXAMPLE: Suppose the client
> 
> # having the certificate common name "Thelonious"
> 
> # also has a small subnet behind his connecting
> ...

 

Thanks for your time HU.

----------

## Hu

You missed some output.  Each of those servers should have had a single decimal digit on the last line of the output, which was the output of cat /proc/sys/net/ipv4/ip_forward.  That digit tells me whether you have enabled IP forwarding, which is required for systems other than the VPN servers themselves to have access to the far end of the tunnel.

Your routing table on VPN server 1 looks very wrong.  You have five entries for 192.168.1.0/24.  A normal routing table should have at most 1.  Even worse, the entries have different gateways and devices.

Also, you do not have sys-apps/iproute2 installed on VPN server 2.  Please emerge it, re-run the commands, and provide the revised output.

----------

## Eightpock

Thanks HU!!!!

 This is my first attempt at VPN with Linux so its a learning process. Thanks for the advice!!!!!!!!!!!!

Pock

----------

## Eightpock

Network 2

192.168.1.x

 *Quote:*   

>  ip addr ; ip route ; iptables-save -c ; echo ; cat /proc/sys/net/ipv4/ip_forward
> 
> 1: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
> 
>     link/ether 00:d0:b7:e1:96:64 brd ff:ff:ff:ff:ff:ff
> ...

 

I looked at the routing table, and I see what you mean.. What a mess. Thanks again for your time.

Pock

----------

## Hu

 *Eightpock wrote:*   

> Network 2
> 
>  *Quote:*    ip addr ; ip route ; iptables-save -c ; echo ; cat /proc/sys/net/ipv4/ip_forward
> 
> [30932:6345371] -A FORWARD -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
> ...

 

That is not correct.  Traffic destined for this subnet which arrives over the VPN will have an input interface of tun0, not eth0.  Traffic would have an input interface of eth0 if it came in unencrypted on the eth0 interface.  There may be other problems, but this one will definitely break bidirectional connectivity.  Traffic coming over the VPN to network 2 would fail to match any rule, and therefore be handled by the default policy of DROP.

----------

## Eightpock

Hu

Thanks for the reply.

 I been playing with this for a week or so.. no progress though. Network2 can access resources on Network1 but Network1 can't ping or access Network2 (192.168.1.x). I understand what you are saying about the tun0 interface, makes sense I just don't know how to make the changes, or the sequence of changs. The virtual address between the 2 tun devices is 10.8.0.x

Would this fix my problem? 

i

iptables -A FORWARD -i tun0 -s 10.8.0.0/255.255.0.0 -j ACCEPT

iptables -A FORWARD -i tun0 -d 10.8.0.0/255.255.0.0 -j ACCEPT  (should the -s be 192.168.1.x   ??)

Forgive if these sound like dumb questions, my knowledge of this stuff is limited, and I'm learning as I go. 

Thanks for any additional information you can provide.

----------

## Hu

It might fix it.  You are correct to use the IP address of tun0 in both lines.  From a firewall perspective, you should forget about how the traffic reaches the system.  Consider only that you have a packet received (or sent) on tun0 and the address of tun0 and its peer.

If that does not help, please post a packet capture showing the traffic that you want to allow.

----------

