User Tools

Site Tools


inbox:howto:vpn.server.openvpn.tun.vpnrerouter

Openvpn using tun devices, create a vpn rerouter

There are a lot of English errors and maybe some vpn concepts confusion, so please contribute and refine the page!

Required knowledge

Scenario

There are some networks, equipped with a vpn server accessible from the internet, that provide network services to the vpn clients.

For example one network is providing video files, the other network is providing audio files.

The problem is that not every potential client could reach the vpn servers of those networks from the internet, for example due to port blocking (the servers uses ports that are blocked). Therefore we have some potential clients unhappy.

Solution: a vpn rerouter

Diagram

With asciiflow (online)

                         internal ip address space 'A/24'                      internal ip address space 'B/24'                                 
                                        +                                                           +                                           
                                        |                                                           |                                           
                                        |                                                           |                                           
                    +-------------------+-----------------+                  +----------------------+----------+                                
                    |                                     |                  |                                 |                                
                    |    Vpn address space 'vpnA/24'      |                  |  Vpn address space 'vpnB/24'    |                                
                    |                            +        |                  |                           +     |                                
                    |                            |        |                  |                           |     |                                
                    |                            |        |                  |                           |     |                                
                    |    'publicA/32' o'fqdnA'   |        |                  |  'publicB/32' or 'fqdnB'  |     |                                
                    |                            +        |                  |                           +     |                                
                    |                     vpn port A      |                  |                   vpn port B    |                                
                    |                                     |                  |                                 |                                
                    +-----------------+-------------------+                  +-------------------------+-------+                                
                                      |                                                                |                                        
                                      |                                                                |                                        
                                      |                                                                |                                        
                                      |                                                                |                                        
                                      |                                                                |                                        
                                      |                                                                |                                        
                                      |                                                                |                                        
                                      |                                                                |                                        
                                      |                                                                |                                        
                                      +---------------------+  Internet  +-----------------------------+                                        
                                                                     +                                                                          
                                                                     |                                                                          
             +-----------------------------------------------------+ | +----------------------------------------------------------+             
             |                                                       |                                                            |             
             |                                                       | +----------------------------------+                       |             
             |                                                       |                                    |                       |             
             |                          +----------------------------+---------------------------+        |                       |             
             |                          |                                                        |        |                       |             
             |                          |             'publicC/32' o'fqdnC'    {VPN REROUTER}    |        |                       |             
             |                          |                                                        |        |                       |             
             |                          |                                                        |        |                       |             
             |                          |   vpn client to vpnA      vpn client to vpnB           |        |                       |             
             |                          |                                                        |        |                       |             
             |                          |   Vpn address space 'vpnC/24'                          |        |                       |             
             |                          |                           +                            |        |                       |             
             |                          |                           +-- vpn port C               |        |                       |             
             |                          |                                                        |        |                       |             
             |                          +--------------------------------------------------------+        |                       |             
             |                                                                                            |                       |             
             |                                                                                            |                       |             
             |                                                      +-------------------------------------+                       |             
             |                                                      |                                                             |             
             |                                                      |                                                             |             
             |                                                      |                                                             |             
             |                                                      |                                                             |             
             |                                                      |                                                             |             
             |                                                      |                                                             |             
             |                                                      |                                                             |             
             |                                                      |                                                             |             
+------------+-----------------------------+      +-----------------+----------------------+           +--------------------------+------------+
|  vpn client to vpnC                      |      | vpn client to vpnC                     |           | vpn client to vpnC                    |
|                                          |      |                                        |           |                                       |
|  Internal ip address space 'Client1/24'  |      | Internal ip address space 'Client2/24' |           | Internal ip address space 'Client3/24'|
|                                          |      |                                        |           |                                       |
+------------------------------------------+      +----------------------------------------+           +---------------------------------------+

Now, the devices in the networks ClientX/24 wants to communicate with devices in the networks A/24 or B/24, this is achieved as described below. Note: The VPNREROUTER has no internal network, only vpn clients and servers.

Definitions of vpn servers

The vpn server A has the following definition in /etc/config/openvpn

config 'openvpn' 'vpnA'
        option 'dev' 'tun0'
        option 'comp_lzo' '1'
        option 'keepalive' '10 60'
        option 'verb' '3'
        option 'port' '1194'
        option 'enable' '1'
        ...lines...
        option 'proto' 'udp'
        option 'server' 'vpnA/24'
        list 'push' 'route A/24'
        ...lines....

Related there is the following configuration in /etc/config/network

...lines...

config interface vpn0
  option ifname  tun0
  option proto none
and /etc/config/firewall
...lines...

config zone 
  option name vpn
  option network vpn0
  option input ACCEPT
  option output ACCEPT
  option forward REJECT
  
config forwarding
  option src vpn
  option dest lan
  
config forwarding
  option src lan
  option dest vpn
  
...lines...

The vpn server B has the following definition in /etc/config/openvpn

config 'openvpn' 'vpnB'
        option 'dev' 'tun0'
        option 'comp_lzo' '1'
        option 'keepalive' '10 60'
        option 'verb' '3'
        option 'port' '1194'
        option 'enable' '1'
        ...lines...
        option 'proto' 'udp'
        option 'server' 'vpnB/24'
        list 'push' 'route B/24'
        ...lines....
To this configuration are related identical configurations as seen for the vpn server A in /etc/config/network and /etc/config/firewall

Similar is the definition (and the related config) of the vpn server C, it proceeds as follows.

config 'openvpn' 'vpnC'
        option 'dev' 'tun0'
        option 'comp_lzo' '1'
        option 'keepalive' '10 60'
        option 'verb' '3'
        option 'port' '443'
        option 'enable' '1'
        ...lines...
        option 'proto' 'udp'
        option 'server' 'vpnC/24'
        list 'push' 'route A/24'
        list 'push' 'route B/24'
        # here we push the internal networks A and B
        ...lines....
        
config 'openvpn' 'vpnA'
     ...lines about vpn client config...
     # the device C is client of the vpn server A

config 'openvpn' 'vpnB'
     ...lines about vpn client config...
     # the device C is client of the vpn server B

Related there is the following configuration in /etc/config/network

...lines...

config interface vpn0
  option ifname  tun0
  option proto none
  
config interface vpn1
  option ifname  tun1
  option proto none
  # for the vpn A client 
  
config interface vpn2
  option ifname  tun2
  option proto none  
  # for the vpn B client
and /etc/config/firewall
...lines...

config zone 
  option name vpn0
  option network vpn0
  option input ACCEPT
  option output ACCEPT
  option forward REJECT
  

config zone 
  option name vpn12
  option network 'vpn1 vpn2'
  option input ACCEPT
  option output ACCEPT
  option forward REJECT
  
config forwarding
  option src vpn0
  option dest vpn12
  # forwarding between vpn networks
  # no internal networks is involved
  
config forwarding
  option src vpn12
  option dest vpn0
  # forwarding between vpn networks
  # no internal networks is involved
    
...lines...

Status of the vpn servers and client devices

Since the firewall rules allows the needed forwarding, we should look only to the routing table that is crucial to properly route packets between address spaces. The routing table is modified also due to the vpn connections that set or pull route rules.

The routing table of the vpn device A is something like:

# simplified routing table
target/netmask - gw - interface
internet - wan
  # internet network
A/24 - A.1 - lan
  #the internal network
vpnA/24 - vpnA.1 - tun0
  # the vpn address space

The routing table of the vpn device B is something like:

# simplified routing table
target/netmask - gw - interface
internet - wan
  # internet network
B/24 - B.1 - lan
  #the internal network
vpnB/24 - vpnB.1 - tun0
  # the vpn address space

The routing table of the vpn device C is something like:

# simplified routing table
target/netmask - gw - interface
internet - wan
  # internet network
vpnC/24 - vpnC.1 - tun0
  # the vpn address space
vpnA/24 - vpnA.1 - tun1
A/24 - vpnA.1 - tun1
vpnB/24 - vpnB.1 - tun2
B/24 - vpnB.1 - tun2
  # the pushed routes by the definition of vpnA and vpnB

The routing table of the gateway in Client1/24 (client of vpn server C) is something like:

# simplified routing table
target/netmask - gw - interface
internet - wan
  # internet network
client1/24 - client1.1 - lan
  # internal network (client1.1 is this gateway itself)
vpnC/24 - vpnC.1 - tun0
A/24 - vpnC.1 - tun0
B/24 - vpnC.1 - tun0
  # the pushed routes by the definition of vpnC

This actual status won't work, fix are needed

(hint: make a schema while reading this section, it will help) The actual situation does not allow communications between an ip in vpnC/24 (a network with netmask /24) or client1/24 and an ip in vpnA/24 or A/24. Why? ( :!: actually i did not check the source code of openvpn i inferred this from the behaviour but is seems solid :!: )

Let's imagine that a device in the Client1/24 wants to reach an ip in A/24, say A.50/24.

Since a client in Client1/24, say Client1.10/24, does not know any direct way to reach A/24 it will ask its gateway, say Client1.1/32. The gateway of the network Client1/24 is connected by vpn to the vpnC and therefore has the route

 (network - gw - interface)
 A/24 - vpnC.1 - tun0
 

Then the gateway selects its IP related to the interace tun0 (that is an ip in vpnC/24), say vpnC.5/32, and sends a request to the vpnC server (vpnC.1/32) to deliver this packet (the source of the packet is enclosed in the vpn tunneling, so effectively the packet source is the ip related to the interface tun0).

The vpnC.1 receives the packet, unpack it from the tunneling envelope and, due to openvpn learning mechanism, starts to observe:
1. The sender of this package, vpnC.5, is able to route packets from the network Client1/24, therefore the vpn software associate the network client1/24 with the ip vpnC.5.

Why vpn does this? Because vpn was designed to connect different networks between each other through an intermediate transferring network. And since clients could connect/disconnect and therefore change ip, it is needed a dynamic learning machanism that just analyze the source of the 'unpacked' (from the vpn tunneling envelope) packet received from a vpn client to assign which networks are behind that vpn client. This of course can lead to problems if more than one vpn client is associated to the same network address space. To avoid this we can assume that the global network administration never let two vpn clients manage similar address spaces.

2. The unpacked packet wants to reach the A.50 ip, the gateway knows a route that is helpful to send this:

 (network - gw - interface)
 A/24 - vpnA.1 - tun0
 

There are no problems with forwardings, so the packet goes, and the vpnC.1 uses the best ip to reach the gateway vpnA.1, its ip in vpnA/24 say vpnA.7/32.

The packet arrives to vpnA.1 that is the vpnA server, and gets upacket. For the same learning mechanism of before, vpna.7 gets associated to the network Client1/24 that is the source of the unpacked packet. Then the packet gets delivered to A.50, using the ip A.1/32 that is the ip address in A/32 of the vpn A server.

A.50 replies back, sending the packet to its gateway, A.1. But the gateway does not know any route to the network Client1/24. Openvpn knows, but the knowledge of the kernel (that manages the routing) does not. Therefore we need to add an option in the vpnA definition that adds proper 'static routes' when the vpnA server is running.

# /etc/config/openvpn on the device of the vpnA server
config 'openvpn' 'vpnA'
        option 'dev' 'tun0'
        option 'comp_lzo' '1'
        option 'keepalive' '10 60'
        option 'verb' '3'
        option 'port' '1194'
        option 'enable' '1'
        ...lines...
        option 'proto' 'udp'
        option 'server' 'vpnA/24'
        list route 'Client1/24 vpnA.1'
          # client1/24 is the ip address space, vpnA.1 is the gateway
          #added options, refer to --route and --iroute in the openvpn manual.
        list 'push' 'route A/24'
        ...lines....

With this option defined, now the vpnA device has the following routing table (when the vpnA service starts):

# simplified routing table
target/netmask - gw - interface
internet - wan
  # internet network
A/24 - A.1 - lan
  #the internal network
vpnA/24 - vpnA.1 - tun0
  # the vpn address space
Client1/24 - vpnA.1 - tun0

So the response from A.50 this time can be routed through the routing rule

Client1/24 - vpnA.1 - tun0

The response packet can be packed in a vpn envelop and routed, thanks to the learning of the openvpn software, to vpnA.7 that is the vpn client of vpnA that has associated the Client1/24 network.

The packet the reaches the vpnC server, gets unpacked and we have the same problem of before, the kernel does not know how to route a packet to the network Client1/24 and so we have to modify also the vpnC configuration.

# /etc/config/openvpn on the device of the vpnC server
config 'openvpn' 'vpnC'
        option 'dev' 'tun0'
        option 'comp_lzo' '1'
        option 'keepalive' '10 60'
        option 'verb' '3'
        option 'port' '443'
        option 'enable' '1'
        ...lines...
        option 'proto' 'udp'
        option 'server' 'vpnC/24'
        list route 'Client1/24 vpnC.1'
          # client1/24 is the ip address space, vpnC.1 is the gateway
        list 'push' 'route A/24'
        list 'push' 'route B/24'
        # here we push the internal networks A and B
        ...lines....
        
config 'openvpn' 'vpnA'
     ...lines about vpn client config...
     # the device C is client of the vpn server A

config 'openvpn' 'vpnB'
     ...lines about vpn client config...
     # the device C is client of the vpn server B

With this option defined, now the vpnC device has the following routing table (when the vpnC service starts):

# simplified routing table
target/netmask - gw - interface
internet - wan
  # internet network
vpnC/24 - vpnC.1 - tun0
  # the vpn address space
Client1/24 - vpnC.1 - tun0
vpnA/24 - vpnA.1 - tun1
A/24 - vpnA.1 - tun1
vpnB/24 - vpnB.1 - tun2
B/24 - vpnB.1 - tun2
  # the pushed routes by the definition of vpnA and vpnB

In this case the vpnC device knows how to route a packet and will do it, then the packet will arrive to vpnC.5 that is also Client1.1 and will be delivered without further trouble.

That is it, no? No.

What happend if, just for testing or by chance, vpnA.1 wants to communicate with vpnC.5 ? The vpnA device does not know how to route to vpnC/24 (while openvpn software will learn it). The same happens if vpnC.5 wants to communcate to vpnA.1. Therefore routes should be added to vpnA and vpnB sever configurations, to mention the vpnC/24 network, and pushing routes should be added to the vpnC sever configuration mentioning the vpnA/24 and vpnB/24 networks.

So let's write the final solution.

Final definitions of vpn servers

The vpn server A has the following definition in /etc/config/openvpn

config 'openvpn' 'vpnA'
        option 'dev' 'tun0'
        option 'comp_lzo' '1'
        option 'keepalive' '10 60'
        option 'verb' '3'
        option 'port' '1194'
        option 'enable' '1'
        ...lines...
        option 'proto' 'udp'
        option 'server' 'vpnA/24'
        list route 'Client1/24 vpnA.1'
          # client1/24 is the ip address space, vpnA.1 is the gateway
        list route 'vpnC/24 vpnA.1'
          #added options, refer to --route and --iroute in the openvpn manual.
        list 'push' 'route A/24'
        ...lines....

Related there is the following configuration in /etc/config/network

...lines...

config interface vpn0
  option ifname  tun0
  option proto none
and /etc/config/firewall
...lines...

config zone 
  option name vpn
  option network vpn0
  option input ACCEPT
  option output ACCEPT
  option forward REJECT
  
config forwarding
  option src vpn
  option dest lan
  
config forwarding
  option src lan
  option dest vpn
  
...lines...

The vpn server B has the following definition in /etc/config/openvpn

config 'openvpn' 'vpnB'
        option 'dev' 'tun0'
        option 'comp_lzo' '1'
        option 'keepalive' '10 60'
        option 'verb' '3'
        option 'port' '1194'
        option 'enable' '1'
        ...lines...
        option 'proto' 'udp'
        option 'server' 'vpnB/24'
        list route 'Client1/24 vpnB.1'
          # client1/24 is the ip address space, vpnB.1 is the gateway
        list route 'vpnC/24 vpnB.1'
          #added options, refer to --route and --iroute in the openvpn manual.
        list 'push' 'route B/24'
        ...lines....
To this configuration are related identical configurations as seen for the vpn server A in /etc/config/network and /etc/config/firewall

Similar is the definition (and the related config) of the vpn server C, it proceeds as follows.

config 'openvpn' 'vpnC'
        option 'dev' 'tun0'
        option 'comp_lzo' '1'
        option 'keepalive' '10 60'
        option 'verb' '3'
        option 'port' '443'
        option 'enable' '1'
        ...lines...
        option 'proto' 'udp'
        option 'server' 'vpnC/24'
        list route 'Client1/24 vpnC.1'
          # client1/24 is the ip address space, vpnB.1 is the gateway
        list 'push' 'route A/24'
        list 'push' 'route B/24'
        # here we push the internal networks A and B
        list 'push' 'route vpnA/24'
        list 'push' 'route vpnB/24'
        # and also vpn address spaces
        ...lines....
        
config 'openvpn' 'vpnA'
     ...lines about vpn client config...
     # the device C is client of the vpn server A

config 'openvpn' 'vpnB'
     ...lines about vpn client config...
     # the device C is client of the vpn server B

Related there is the following configuration in /etc/config/network

...lines...

config interface vpn0
  option ifname  tun0
  option proto none
  
config interface vpn1
  option ifname  tun1
  option proto none
  # for the vpn A client 
  
config interface vpn2
  option ifname  tun2
  option proto none  
  # for the vpn B client
and /etc/config/firewall
...lines...

config zone 
  option name vpn0
  option network vpn0
  option input ACCEPT
  option output ACCEPT
  option forward REJECT
  

config zone 
  option name vpn12
  option network 'vpn1 vpn2'
  option input ACCEPT
  option output ACCEPT
  option forward REJECT
  
config forwarding
  option src vpn0
  option dest vpn12
  # forwarding between vpn networks
  # no internal networks is involved
  
config forwarding
  option src vpn12
  option dest vpn0
  # forwarding between vpn networks
  # no internal networks is involved
    
...lines...

Final status of the vpn servers and client devices

Since the firewall rules allows the needed forwarding, we should look only to the routing table that is crucial to properly route packets between address spaces. The routing table is modified also due to the vpn connections that set or pull route rules.

The routing table of the vpn device A is something like:

# simplified routing table
target/netmask - gw - interface
internet - wan
  # internet network
A/24 - A.1 - lan
  #the internal network
vpnA/24 - vpnA.1 - tun0
  # the vpn address space
Client1/24 - vpnA.1 - tun0
vpnC/24 - vpnA.1 - tun0

The routing table of the vpn device B is something like:

# simplified routing table
target/netmask - gw - interface
internet - wan
  # internet network
B/24 - B.1 - lan
  #the internal network
vpnB/24 - vpnB.1 - tun0
  # the vpn address space
Client1/24 - vpnB.1 - tun0
vpnC/24 - vpnB.1 - tun0

The routing table of the vpn device C is something like:

# simplified routing table
target/netmask - gw - interface
internet - wan
  # internet network
vpnC/24 - vpnC.1 - tun0
  # the vpn address space
Client1/24 - vpnC.1 - tun0
vpnA/24 - vpnA.1 - tun1
A/24 - vpnA.1 - tun1
vpnB/24 - vpnB.1 - tun2
B/24 - vpnB.1 - tun2
  # the pushed routes by the definition of vpnA and vpnB

The routing table of the gateway in Client1/24 (client of vpn server C) is something like:

# simplified routing table
target/netmask - gw - interface
internet - wan
  # internet network
client1/24 - client1.1 - lan
  # internal network (client1.1 is this gateway itself)
vpnC/24 - vpnC.1 - tun0
A/24 - vpnC.1 - tun0
vpnA/24 - vpnC.1 - tun0
B/24 - vpnC.1 - tun0
vpnB/24 - vpnC.1 - tun0
  # the pushed routes by the definition of vpnC

inbox/howto/vpn.server.openvpn.tun.vpnrerouter.txt · Last modified: 2015/08/14 14:26 by pier4r