Index.
- Introduction.
- Update network plan.
- Install OpenVPN.
- Starting the link.
- Download.
Introduction.
This article is about creating a Point-to-Point network between two home networks. This could be used to connect two family homes or two small business networks, everyone has his own reasons for a Point-to-Point network. The Point-to-Point network is created using OpenVPN, and with this you can create a virtual ethernet connection as if the two networks are connected via a network card and a very long cross cable. The connection is encrypted and secured.
Currently in OpenVPN 2.2.x there is no support to configure IPv6 on the Point-to-Point connection. But because we are using tap devices on the endpoints, any ethernet frame can be transferred over the link, so IPv4 and IPv6 will work both. The problem is in the configuration. In the .conf script only IPv4 parameters can be set, to use IPv6 you must do all the interface configuring with scripts. It sounds more complicated then it really is. (It seems that the future 2.3 series can do IPv6 configuration).
Update network plan.
First, update the network plan, here we have added the 10.126.163.0 subnet with it’s corresponding IPv6 subnet. We use 10.126.163.1 and 2001:1af8:fecf:7ea3::1 for our local address. For the remote side we use 10.126.163.2 and 2001:1af8:fecf:7ea3::2. You can use a totally different range if you like, but then routing will be a little more complicated. Just picking a address from our total space still leaves us 4 address blocks free.
| IPv4 | IPv6 | Remark |
|---|---|---|
| 10.126.160.0/24 | 2001:1af8:fecf:7ea0::/64 | Workstations LAN |
| 10.126.161.0/24 | 2001:1af8:fecf:7ea1::/64 | Server/Gateway LAN |
| 10.126.162.0/24 | 2001:1af8:fecf:7ea2::/64 | DMZ Network |
| 10.126.163.0/24 | 2001:1af8:fecf:7ea3::/64 | VPN trunk |
| 10.126.164.0/24 | 2001:1af8:fecf:7ea4::/64 | Spare |
| 10.126.165.0/24 | 2001:1af8:fecf:7ea5::/64 | Spare |
| 10.126.166.0/24 | 2001:1af8:fecf:7ea6::/64 | Spare |
| 10.126.167.0/24 | 2001:1af8:fecf:7ea7::/64 | Spare |
Install OpenVPN.
Install OpenVPN on our local machine, create a working directory for the configuration, and generate a static key.
[root@gateway ~]# pacman -S openvpn resolving dependencies... looking for inter-conflicts... Targets (2): lzo2-2.05-1 openvpn-2.2.0-1 Total Download Size: 0.38 MB Total Installed Size: 1.50 MB Proceed with installation? [Y/n] :: Retrieving packages from core... lzo2-2.05-1-i686 105.0K 419.7K/s 00:00:00 [######################] 100% openvpn-2.2.0-1-i686 287.3K 713.8K/s 00:00:00 [######################] 100% (2/2) checking package integrity [######################] 100% (2/2) checking for file conflicts [######################] 100% (1/2) installing lzo2 [######################] 100% (2/2) installing openvpn [######################] 100% [root@gateway ~]# mkdir -p /etc/openvpn/wpl_mbse [root@gateway wpl_mbse]# cd /etc/openvpn/wpl_mbse/ [root@gateway wpl_mbse]# openvpn --genkey --secret static.key [root@gateway wpl_mbse]# chmod 400 static.key [root@gateway wpl_mbse]#
Then in /etc/openvpn/wpl_mbse create wpl_mbse.up:
#!/bin/sh
ifconfig $1 10.126.163.1 netmask 255.255.255.0 broadcast 10.126.163.255 \
add 2001:1af8:fecf:7ea3::1/64
route add -net 10.xxx.xxx.x netmask 255.255.248.0 gw 10.xxx.xxx.x
route -A inet6 add 2001:1af8:feb8::/48 gw 2001:1af8:fecf:7ea3::2 $1
Then in /etc/openvpn/wpl_mbse create wpl_mbse.down:
#!/bin/sh /sbin/route -A inet6 del 2001:1af8:feb8::/48 gw 2001:1af8:fecf:7ea3::2 $1 /sbin/route del -net 10.xxx.xxx.x netmask 255.255.248.0 gw 10.xxx.xxx.x ifconfig $1 del 2001:1af8:fecf:7ea3::1/64 ifconfig $1 down
Make these both scripts mode 0755 and create /etc/openvpn/wpl_mbse.conf:
cd /etc/openvpn/wpl_mbse remote 192.168.xxx.xxx port 1195 dev tap0 keepalive 10 120 proto udp persist-key persist-tun verb 1 comp-lzo cipher DES-EDE3-CBC # Triple-DES script-security 3 up wpl_mbse.up down wpl_mbse.down secret static.key
A few remarks:
- the remote address should be a fqdn (Full Qualified Domain Name) if possible, if the remote is on a dynamic IP and the IP changes, and everything is configured using some dynamic DNS updater, you have more chance to reconnect.
- We use UDP port 1195 instead of 1194, leave 1194 (standard) for ad-hoc road warriors to connect to the LAN. This is a different story to tell.
- The directory and scripts are named after the from and to second level domain names. Do what you think fits best, but keep in mind that you can have more then one point-to-point connection.
- The persists and keepalive parameters make sure that the connection automatic reconnects if there was a problem on the Internet or with the other side of the link.
- This setup makes us a client and server, both sides try to (re)start the connection at regular intervals.
- So the firewall need to allow UDP port 1195 out and in.
On the remote you need the opposite configuration, but you don’t need to create the file static.key. Instead you must install our local generated key on the remote. This key file is the weak point, if you ever think it is stolen, generate a new key and use that.
In the file /etc/conf.d/openvpn-tapdev you need to set the name of the tap device, if it’s the first one use tap0.
Starting the link.
If both sides of the link are configured, start them:
[root@gateway openvpn]# /etc/rc.d/openvpn-tapdev start :: Creating tap devices for OpenVPN ... tap0 [DONE] [root@gateway openvpn]# /etc/rc.d/openvpn start :: Starting OpenVPN ... wpl_mbse [DONE] [root@gateway openvpn]# ifconfig tap0 tap0 Link encap:Ethernet HWaddr 9E:6E:6A:AC:8F:CD inet addr:10.126.163.1 Bcast:10.126.163.255 Mask:255.255.255.0 inet6 addr: fe80::9c6e:6aff:feac:8fcd/64 Scope:Link inet6 addr: 2001:1af8:fecf:7ea3::1/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3050 errors:0 dropped:0 overruns:0 frame:0 TX packets:3339 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:267907 (261.6 Kb) TX bytes:2777678 (2.6 Mb) [root@gateway openvpn]#
In your firewall you need to add this new network interface including the IPv4 and IPv6 addresses. Then, add a policy rule to allow all traffic on that interface. You can check the link with some ping commands:
mbroek@mgmtws:~$ ping -c1 10.126.163.2 PING 10.126.163.2 (10.126.163.2) 56(84) bytes of data. 64 bytes from 10.126.163.2: icmp_req=1 ttl=62 time=4.83 ms --- 10.126.163.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.831/4.831/4.831/0.000 ms mbroek@mgmtws:~$ ping6 -c1 2001:1af8:fecf:7ea3::2 PING 2001:1af8:fecf:7ea3::2(2001:1af8:fecf:7ea3::2) 56 data bytes 64 bytes from 2001:1af8:fecf:7ea3::2: icmp_seq=1 ttl=62 time=5.40 ms --- 2001:1af8:fecf:7ea3::2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 5.404/5.404/5.404/0.000 ms mbroek@mgmtws:~$
Download.
In the usual place you can find the updated scripts and configuration files:
