LAN Tunneling – Linux to the rescue

The problem

I had a problem – perhaps a luxury one: A customer of mine hired me to do some administrative work at his site. Since his facilities are about 600kms away, remote access was agreed upon.

Usually you would think of a customer provided laptop with some Cisco VPN client on it. Not exactly. Yes, he sent me a laptop….together with a consumer router configured for VPN access. All rrrright.

Usually I separate customer devices from my home installation by means of putting them in a separate VLAN with its own accompanying WIFI and firewall rules. Not possible with that thing.

The solution

How did I solve that ? By putting an OrangePI (nifty little machines btw) between my firewall and external router and another one in a separate WIFI with its Ethernet interface connected to the customer’s router. Then I set up an ethernet bridge between those two machines via OpenVPN. This means that I now do have direct access to the transfer network (which physically sits in the basement) from my desk (which is at 2nd floor), DHCP and all. Nice eh ?

So how did I do it and what does it all have to do with Linux ? Both OrangePI machines do run Armbian, which is a specialized Linux distro for this kind of machine, similar to Raspbian for the Raspberry PI.

Schematic:

opi_bridge

As a starting point I used the following description: https://www.aaflalo.me/2015/01/openvpn-tap-bridge-mode/

I do leave things like SSL certificate creation and stuff as an excercise to the reader.

Apart from Armbian, at least bridge-utils has to be installed, as well as any troubleshooting-tools you may fancy.

Some addresses and stuff (not the real ones of course)

Address Description
1.1.1.0/24 Transfer subnet
1.1.1.1 Gateway
1.1.1.2 VPN server
1.1.1.19 VPN client, bridge address
1.1.1.20-1.1.1.30 DHCP range for clients in the transfer net

Has to match the values in your internet router’s DHCP

Config, server side

server.conf
dev tap0
tls-server
proto udp
port 1194
ca /etc/openvpn/root.pem
cert /etc/openvpn/openvpn.pem
key /etc/openvpn/openvpn.key
dh /etc/openvpn/dh1024.pem
topology subnet
user nobody
group nogroup
server-bridge 1.1.1.2 255.255.255.0 1.1.1.20 1.1.1.30
mssfix
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
keepalive 10 120
mute 50
push "dhcp-option DNS 8.8.8.8"
log-append /var/log/openvpn
comp-lzo
bridge-conf (server)
#!/bin/bash
eth="eth0"
eth_ip="1.1.1.2"
eth_netmask="255.255.255.0"
eth_broadcast="1.1.1.255"
eth_gateway="1.1.1.1"
eth_mac="aa:bb:cc:dd:ee:ff"
br="br0"
tap="tap0"

Config, client side

client.conf
client
dev tap0
proto udp
remote 1.1.1.2 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca root.pem
cert client.pem
key client.key
ns-cert-type server
comp-lzo
verb 3
bridge-conf (client)
#!/bin/bash
eth="eth0"
eth_ip="1.1.1.19"
eth_netmask="255.255.255.0"
eth_broadcast="1.1.1.255"
eth_gateway="1.1.1.1"
eth_mac="ff:ee:dd:cc:bb:aa""
br="br0"
tap="tap0"

Conclusion

With some quick googling and some scripts I was able to set up an Ethernet-Bridge which solves my problem. However, since we are dealing with an insecure net by definition (and NO, your DSL or broadband router is not to be trusted), some consideration has to be put into securing both devices network-wise. I am talking iptables, limiting the amount of services on the boxes, securing OpenSSH and stuff. Those would be out of scope for this article, so look’em up.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s