July 21, 2014

Using OpenVPN as a Home Gateway + Internet Gateway

Well, first of all I need to explain my headline: Up to now I operated my OpenVPN Server at home as a gateway into my home network. When I connect a mobile device to the OpenVPN I can use the services I run inside the private home network from remote. All other traffic (surfing the web, mailing, etc.) does not flow over the tunnel. This is in most cases what I want as tunneling EVERYTHING through my Home Server would    be      quite      s  l  o  w.

Some days ago I got reminded that I always wanted to experiment with OpenVPN as an Internet Gateway. Meaning: all traffic of my mobile device flows nicely encrypted through the Home Server. This is handy if you are in a not so trustworthy network (Internet Cafe, etc.) and want to secure your communication from eavesdropping by somebody in this not so trustworthy network.  If found a quite good tutorial for the “Internet Gateway configuration” on this webpage. But it seems that there are some slight errors in the server configuration which I fixed. Furthermore I wanted to be able to select whether I want a simple Home Gateway (access home services) OR an Internet Gateway (access home services + tunnel ALL traffic via my home). I came up with this solution:

You need two configurations for the OpenVPN server and client. One for the Home Gateway mode, the second for the Internet Gateway mode. The following server configurations tell your OpenVPN server to listen on two different ports. So when you connect a device to port X, you get the Home Gateway. When you connect it to port Y, you get the Internet Gateway. You also get a different address in your 10.8.x.y address pool. 10.8.0.y for the Home Gateway, 10.8.1.y for the Internet Gateway. In case you connect two devices to the different OpenVPNs you can reach one from the other as the needed routes are set in the configurations. So here are the server configs:

## server_home_gateway.conf

server 10.8.0.0 255.255.255.0
port X
proto udp
dev tun

ca server/ca.crt
cert server/openvpnserver.crt
key server/openvpnserver.key
dh server/dh1024.pem

ifconfig-pool-persist ipp.txt

push “route 192.168.178.0 255.255.255.0”
push “route 10.8.0.0 255.255.255.0”
push “route 10.8.1.0 255.255.255.0”

cipher AES-128-CBC
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open
vpn-status.log
verb 3
##server_internet_gateway.conf

server 10.8.1.0 255.255.255.0
port Y
proto udp
dev tun

ca server/ca.crt
cert server/openvpnserver.crt
key server/openvpnserver.key
dh server/dh1024.pem

ifconfig-pool-persist ipp.txt
push “redirect-gateway”
push “route 192.168.178.0 255.255.255.0”
push “route 10.8.0.0 255.255.255.0”
push “route 10.8.1.0 255.255.255.0”

cipher AES-128-CBC
keepalive 10 120
comp-lzo
persist-keypersist-tun
status openvpn-status.log
verb 3

I do not explain how the keys are generated. You can get this info from the website mentioned earlier. Besides these server configurations you need to enable forwarding and NATting on your server:

sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -o eth0 -i tun0 -s 10.8.0.0/24 -m conntrack —ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack —ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

(Just copied from the website mentioned above! Read there in case you do not know how to make these settings persistent.) For your mobile devices you also need two different configurations. One points to your server’s port X, the other to your server’s port Y. In the second config there’s also a new line: redirect-gateway def1 bypass-dhcp which seems to be important when you’re on a Mac. Interestingly the config works without this line for my iOS devices nicely.

## client_home_gateway.conf
client
proto udp
dev tun
remote SERVER X
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert mac11.crt
key mac11.key

cipher AES-128-CBC
comp-lzo
verb 3
## client_internet_gateway.conf
client
proto udp
dev tun
remote SERVER Y
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert mac11.crt
key mac11.key

redirect-gateway def1 bypass-dhcp
cipher AES-128-CBC
comp-lzo
verb 3

That should work…

(Tested with Ubuntu server 14.04 LTS + iOS and MacOS clients)

© holger 2015 - 2020 |