Using Open VPN to tunnel all traffic through my home serverI want to be able to send all my internet traffic to the Linux machine I have running in my apartment and I am not a networking expert. My motivation for this post is threefold; document my process for future reference, share my info and see if people have suggestions for how to do this better. I am not going to go through every option, just what I did and what worked for me.
The next step was to figure out what I needed to do. I decided on using openvpn because I already use it for work and because it’s open source. I found the how-to document on the openvpn site to be really useful. I am using Fedora, so I skipped the section on installing openvpn from source and ran “
sudo yum install openvpn“. My next step was to copy the pki support files into a directory by running “
cp -r /usr/share/openvpn/easy-rsa/2.0/* .“. I then followed the directions for generating the pki infrastructure.
For this to work you need an open port on your server. I used the openvpn standard of 1194. I tested that the port was open with netcat by running “
nc -l 1194” on my server and “
nc server.name 1194“. Writing on either terminal will show the output on the other on EOL.
At this point, I needed to set up the server configuration. I copied the sample config file to my directory by running “
cp cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf server.conf“. I found that the sample server config file seemed to work great for me with the following changes:
diff -U0 sample-config-files/server.conf config/server.conf --- sample-config-files/server.conf 2011-12-12 21:43:31.000000000 -0800 +++ config/server.conf 2011-12-12 22:16:46.000000000 -0800 @@ -196,0 +197,2 @@ +push "dhcp-option DNS 0.0.0.0" +push "dhcp-option DNS 0.0.0.0" @@ -204 +206 @@ -;client-to-client +client-to-client
The first change pushes DNS servers to my client (fake ips, obviously) and the second change is to allow different clients to talk to each other. I am not sure how useful the inter-client link will end up being.
I am using the Viscosity client because that’s the only sane way to do this on OS X and Windows. Sending all traffic over the vpn link is the default behaviour for Network Manager (Linux). I started with the sample by running “
cp /usr/share/doc/openvpn-2.1.4/sample-config-files/client.conf .“. My changes where pretty basic:
diff -U0 sample-client.conf client.conf --- sample-client.conf 2011-12-12 22:43:11.000000000 -0800 +++ client.conf 2011-12-12 21:49:17.000000000 -0800 @@ -42 +42 @@ -remote my-server-1 1194 +remote server.name 1194 @@ -89,2 +89,2 @@ -cert client.crt -key client.key +cert laptop.crt +key laptop.key
At this point, the client side configuration was ready to transfer, so I tarred up the needed files with:
mkdir ovpn-configs cp keys/ca.crt keys/laptop.crt keys/laptop.key client.conf ovpn-configs/ tar jcf laptop-openvpn-config.tar.bz2 ovpn-configs
and used scp to transfer the files over to my laptop.
Once on my laptop, I untarred the files and imported the configuration into Viscosity. I did this by:
- clicking on Viscosity menu icon then selecting preferences
- clicking on plus arrow with down, selecting “import connection” then selecting “from file”
- selected the client.conf file from the tarball
At this stage, I tested that my machine was able to connect to my openvpn server. I gathered the various files needed for the openvpn server into a single directory:
mkdir ~/openvpn-server/ cp keys/* ~/openvpn-server #lazy cp server.conf ~/openvpn-server
and started the server with “
cd ~/openvpn-server && sudo openvpn server.conf“. I connected using viscosity to the server. The client connected properly, but I was unable to resolve anything on dns or reach anything other than my openvpn server. Reading the openvpn howto suggested setting up a NAT. I did some searching and found a page with information on setting up the NAT. I did:
echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
At this point, everything worked! I ran traceroute, and the first hop was my vpn server’s vpn address (10.8.0.1). I also used some websites to check my public IP and it was showing as my server’s IP.
I hope this is useful to others. If I’ve done something really dumb, I’d appreciate any suggestions for how to do it better! I have left out information about how to start the openvpn service on boot. This isn’t really important to me right now but if I ever bother with it, I’ll update this blog post.