OpenVPN-clientconnection to company-network
To establish a connection of my home-network to our company-network, I have installed an openVPN-tunnel, where my side acts as the client. On the company-side a corresponding openVPN-server has to be set up, and routing and firewall-settings have to be set accordingly.
The directory /var/ipfire/ovpn/ contains:
- karls.conf the configuration-file of the tunnel
- bfi-ca.crt root-certificate of my company
- karls.crt my public key
- karls.key my private key
My configuration-file karls.conf looks like (comments removed):
filename = /var/ipfire/ovpn/karls.conf
dev tun
remote test.firma.at
ifconfig 192.168.250.38 192.168.250.37
tls-client
tls-remote /C=AT/ST=Land/O=Firma/OU=edv/CN=Office
ca /var/ipfire/ovpn/firma-ca.crt
cert /var/ipfire/ovpn/karls.crt
key /var/ipfire/ovpn/karls.key
port 5010
comp-lzo
ping 15
ping-restart 45
verb 3
# since there are multiple subnets 192.168.x.0/24 in the main office
route 192.168.0.0 255.255.0.0 192.168.250.37
Since I don't use my IPFire as server, I have to start the tunnel with a script. To get it executed at system-startup, you have to add to the end of /etc/sysconfig/rc.local:
# start openvpn-tunnel to main-office
modprobe tun
openvpn --config /var/ipfire/ovpn/karls.conf –-daemon
Since my tunnel stoped during the night from time to time, I wrote a (not very beautiful) script to check the connection every 30 minutes and restart if necessary.
fcrontab -e
opens the table of cron-jobs for editing. To test every 30 minutes, you add a line like:
10,40 * * * * /var/ipfire/ovpn/tunneltest
The contents of the script are:
#!/bin/bash
# this script tests a tunnel-connection and restarts the tunnel when down
T=192.168.250.37
config="/var/ipfire/ovpn/karls.conf"
ifconfig | grep tun0 > /dev/null
t=$?
if [ "$t" != 0 ]; then
echo "no tunnel-device available"
logger -t TUNTEST "no tunnel-device available"
modprobe tun
openvpn --config $config --daemon
logger -t TUNTEST "tunnel started"
fi
echo "pinging now"
logger -t TUNTEST "pinging now"
ping -c 1 $T > /dev/null
if [ "$?" != 0 ]; then
openvpn --config $config --daemon
echo "tunnel restarted"
logger -t TUNTEST "tunnel restarted"
else
echo "tunnel OK"
logger -t TUNTEST "tunnel OK"
fi
exit 0
VPN to multiple subnets
To configure openVPN to route to more than one subnet, you have to edit /var/ipfire/ovpn/server.conf!
Connect to IPFire via ssh as root first. Open the .conf-file with your editor of choice (vi, vim, nano, ...).
nano /var/ipfire/ovpn/server.conf
You will see a file much like (depends on the settings!):
filename = /var/ipfire/ovpn/server.conf
#OpenVPN Server conf
daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local localdomain
dev tun
tun-mtu 1400
proto udp
port 1194
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.207.39.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
keepalive 10 60
status-version 1
status /var/log/ovpnserver.log 30
cipher DESX-CBC
comp-lzo.
max-clients 100
tls-verify /var/ipfire/ovpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3
The important part here is:
push "route 192.168.0.0 255.255.255.0"
It tells the client-PC to send packets, destined to 192.168.0.x, over the VPN. To add the subnet 192.168.1.x, you have to add to the .conf-file:
push "route 192.168.1.0 255.255.255.0"
After the modification server.conf could look like:
filename = /var/ipfire/ovpn/server.conf
#OpenVPN Server conf
daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local localdomain
dev tun
tun-mtu 1400
proto udp
port 1194
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.207.39.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
keepalive 10 60
status-version 1
status /var/log/ovpnserver.log 30
cipher DESX-CBC
comp-lzo
max-clients 100
tls-verify /var/ipfire/ovpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3
Now you can communicate with the computers in subnet 192.168.1.0/24 too!