how do i use vlan as a private vpc with openvpn
hello guys ,
new to Linode.
i am setting up two servers which will be connected to single vlan so that they can communicate with each other.
suppose
A) X pub ip and 10.0.0.1 vlan ip
B) Xpub ip and 10.0.0.2 vlan ip
now i am setting up firewall rule that no one except B linode can connect or ssh to A linode .
i am setting up B linode as openvpn server so that my all mates can connnect to openvpn and then use A linode.
but i am unable to complete this setup as there is no connectivity to A via B with openvpn , but B can directly do all connectivity to A .
2 Replies
✓ Best Answer
Note: Guests' home network addresses will likely conflict with 10.0.0.0/24 (They will need to address their home router to get to the VPN). For the sake of this discussion, let's swap the roles of servers A and B and put them on vLAN 10.0.16.0/24.
Server | vLAN IP | Role |
---|---|---|
Server A | 10.0.16.1 | OpenVPN |
Server B | 10.0.16.2 | Top Secret Stuff |
Let's designate 10.0.127.0/24 as our Guest Network
Server A will have address 10.0.127.1 on interface as0t1.
Here is what our network looks like
Scenario 1 - Server A is a SSH Jump Box
There is not much additional to setup. Guests will just need accounts on Server A to which they can SSH into. From there they can SSH into Server B. If we were going this route, we could skip the whole VPN.
Scenario 2 - Server A is a Router to vLAN
Server A (forwarding) needs to have the following routes
203.0.113.0/24 dev eth0
0.0.0.0/0 default via 203.0.113.1 dev eth0
10.0.127.0/24 dev as0t1
10.0.16.0/24 dev eth1
Server B (non-forwarding) needs to have the following routes:
192.0.2.0/24 dev eth0
0.0.0.0/0 default via 192.0.2.1 dev eth0
10.0.16.0/24 dev eth1
10.0.127.0/24 dev eth1 via 10.0.127.1
Client 1 will need to have the following routes upon connection:
0.0.0.0 default via 192.168.1.1 dev wlan0
192.168.1.0/24 dev wlan0
10.0.127.0/24 dev tun0
10.0.16.0/24 via 10.0.127.1 dev tun0
Client 2 will need to have the following routes upon connection:
0.0.0.0 default via 10.0.0.1 dev eth0
10.0.0.0/24 dev eth0
10.0.127.0/24 dev tun0
10.0.16.0/24 via 10.0.127.1 dev tun0
The Good News is that OpenVPN will take care of setting up the clients and itself. We only need to configure Server B, where top secret stuff will happen. On a Debian/Ubuntu server, to configure routing, we would do the following:
Any additional servers you add to the Linode vLAN, might benefit from the same treatment as below if they are to talk to your VPN Clients. Putting route configuration in a separate file allows us keep network helper on in case public IP's need to change.
- In /etc/network/if-up.d/ create a file, openvpn:
#!/bin/sh
if [ "$IFACE" = "eth1" ]; then
ip route add 10.0.127.0/24 via 10.0.16.1
fi
chmod 751 /etc/network/if-up.d/openvpn
In /etc/network/if-down.d/ create another file, openvpn:
#!/bin/sh
if [ "$IFACE" = "eth1" ]; then
ip route del 10.0.127.0/24 via 10.0.16.1
fi
chmod 751 /etc/network/if-down.d/openvpn
We will leave the configuration of Firewalls, Moats, Honey Pots, Dragons, and SSH on Server B as an exercise for the reader.
The following assumes that you have deployed an OpenVPN server as described here:
If you have not done so, go ahead and complete the Marketplace App installation
Configure OpenVPN
In the web interface, under Configuration > VPN Settings:
Here is where we give the clients a place to live when they are connected.
- Static IP Address Network:
- Network Address = 10.0.127.0
- Netmask Bits = 24
We will turn this on since we need our clients to be able to reach Server A
- Routing: Select Yes, Using Routing
- Private Subnets clients should be given access:
- 10.0.16.0/24
- Allow access from these private subnets to all VPN client IP addresses and subnets: Yes
- Should client Internet traffic be routed through the VPN?: Your Choice
- Should clients be allowed to access network services on the VPN gateway IP address? Yes
- Save Settings
Now we get to create our users. We apparently get two for free. Repeat the following steps as desired for more users. Give each one a different static IP. 10.0.127.1 is the gateway, so let's not give them that one.
- Under User Management, create a user with Allow Auto Login
- Click on More Settings
- Assign a password
- IP Addressing: Static 10.0.127.2
Here is where the Clients get access to the Linode vLAN - Access Control: Use Routing 10.0.16.0/24
- Save Settings
- Reboot the server
You should now be able to connect using your the userid and password you just configured.