View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions how do i use vlan as a private vpc with openvpn
Log in to Ask a Question
✓ Solved

how do i use vlan as a private vpc with openvpn

vpn openvpn vlan routing

hello guys ,
new to Linode.
i am setting up two servers which will be connected to single vlan so that they can communicate with each other.
suppose
A) X pub ip and 10.0.0.1 vlan ip
B) Xpub ip and 10.0.0.2 vlan ip

now i am setting up firewall rule that no one except B linode can connect or ssh to A linode .
i am setting up B linode as openvpn server so that my all mates can connnect to openvpn and then use A linode.

but i am unable to complete this setup as there is no connectivity to A via B with openvpn , but B can directly do all connectivity to A .

2 Replies

Linode Staff

✓ Best Answer

Note: Guests' home network addresses will likely conflict with 10.0.0.0/24 (They will need to address their home router to get to the VPN). For the sake of this discussion, let's swap the roles of servers A and B and put them on vLAN 10.0.16.0/24.

Server vLAN IP Role
Server A 10.0.16.1 OpenVPN
Server B 10.0.16.2 Top Secret Stuff

Let's designate 10.0.127.0/24 as our Guest Network
Server A will have address 10.0.127.1 on interface as0t1.

Here is what our network looks like

network diagram

Scenario 1 - Server A is a SSH Jump Box

There is not much additional to setup. Guests will just need accounts on Server A to which they can SSH into. From there they can SSH into Server B. If we were going this route, we could skip the whole VPN.

Scenario 2 - Server A is a Router to vLAN

Server A (forwarding) needs to have the following routes
203.0.113.0/24 dev eth0
0.0.0.0/0 default via 203.0.113.1 dev eth0
10.0.127.0/24 dev as0t1
10.0.16.0/24 dev eth1

Server B (non-forwarding) needs to have the following routes:
192.0.2.0/24 dev eth0
0.0.0.0/0 default via 192.0.2.1 dev eth0
10.0.16.0/24 dev eth1
10.0.127.0/24 dev eth1 via 10.0.127.1

Client 1 will need to have the following routes upon connection:
0.0.0.0 default via 192.168.1.1 dev wlan0
192.168.1.0/24 dev wlan0
10.0.127.0/24 dev tun0
10.0.16.0/24 via 10.0.127.1 dev tun0

Client 2 will need to have the following routes upon connection:
0.0.0.0 default via 10.0.0.1 dev eth0
10.0.0.0/24 dev eth0
10.0.127.0/24 dev tun0
10.0.16.0/24 via 10.0.127.1 dev tun0

The Good News is that OpenVPN will take care of setting up the clients and itself. We only need to configure Server B, where top secret stuff will happen. On a Debian/Ubuntu server, to configure routing, we would do the following:

Any additional servers you add to the Linode vLAN, might benefit from the same treatment as below if they are to talk to your VPN Clients. Putting route configuration in a separate file allows us keep network helper on in case public IP's need to change.

  • In /etc/network/if-up.d/ create a file, openvpn:
#!/bin/sh

if [ "$IFACE" = "eth1" ]; then
   ip route add 10.0.127.0/24 via 10.0.16.1
fi

  • chmod 751 /etc/network/if-up.d/openvpn

  • In /etc/network/if-down.d/ create another file, openvpn:

#!/bin/sh

if [ "$IFACE" = "eth1" ]; then
   ip route del 10.0.127.0/24 via 10.0.16.1
fi
  • chmod 751 /etc/network/if-down.d/openvpn

We will leave the configuration of Firewalls, Moats, Honey Pots, Dragons, and SSH on Server B as an exercise for the reader.

The following assumes that you have deployed an OpenVPN server as described here:

If you have not done so, go ahead and complete the Marketplace App installation

Configure OpenVPN

In the web interface, under Configuration > VPN Settings:

Here is where we give the clients a place to live when they are connected.

  • Static IP Address Network:
    • Network Address = 10.0.127.0
    • Netmask Bits = 24

We will turn this on since we need our clients to be able to reach Server A

  • Routing: Select Yes, Using Routing
    • Private Subnets clients should be given access:
    • 10.0.16.0/24
    • Allow access from these private subnets to all VPN client IP addresses and subnets: Yes
    • Should client Internet traffic be routed through the VPN?: Your Choice
    • Should clients be allowed to access network services on the VPN gateway IP address? Yes
    • Save Settings

Now we get to create our users. We apparently get two for free. Repeat the following steps as desired for more users. Give each one a different static IP. 10.0.127.1 is the gateway, so let's not give them that one.

  • Under User Management, create a user with Allow Auto Login
    • Click on More Settings
    • Assign a password
    • IP Addressing: Static 10.0.127.2
      Here is where the Clients get access to the Linode vLAN
    • Access Control: Use Routing 10.0.16.0/24
  • Save Settings
  • Reboot the server

You should now be able to connect using your the userid and password you just configured.

Thanks ,
i get it now , but we used a simple solution as i didn't read this solution at that time.
we converted our OVPN to use layer 2 means we changed our ovpn configs from TUN to TAP and Bingo , that worked simply.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct