Index.
- Introduction.
- Update network plan.
- Install OpenVPN.
- Starting the link.
- Download.
06-Jul-2011: initial release. 23-Aug-2012: configuration changed to netcfg. 06-Jan-2013: adjusted for Slackware. 29-Aug-2013: changed port from 1195 to 1196.
Introduction.
This article is about creating a Point-to-Point network between two home networks. This could be used to connect two family homes or two small business networks, everyone has his own reasons for a Point-to-Point network. The Point-to-Point network is created using OpenVPN, with that you can create a virtual ethernet connection as if the two networks are connected via a network card and a very long cross cable. The connection is encrypted and secured.
Currently in OpenVPN 2.2.x there is no support to configure IPv6 on the Point-to-Point connection. But because we are using tap devices on the endpoints, any ethernet frame can be transferred over the link, so IPv4 and IPv6 will work both. The problem is in the configuration. In the .conf script only IPv4 parameters can be set, to use IPv6 you must do all the interface configuring with scripts. It sounds more complicated then it really is. (It seems that the future 2.3 series can do IPv6 configuration).
Update network plan.
First, update the network plan, here we have added the 10.126.163.0 subnet with it’s corresponding IPv6 subnet. We use 10.126.163.1 and 2001:1af8:fecf:7ea3::1 for our local address. For the remote side we use 10.126.163.2 and 2001:1af8:fecf:7ea3::2. You can use a totally different range if you like, but then routing will be a little more complicated. Just picking a address from our total space still leaves us 4 address blocks free.
| IPv4 | IPv6 | Remark |
|---|---|---|
| 10.126.160.0/24 | 2001:1af8:fecf:7ea0::/64 | Workstations LAN |
| 10.126.161.0/24 | 2001:1af8:fecf:7ea1::/64 | Server/Gateway LAN |
| 10.126.162.0/24 | 2001:1af8:fecf:7ea2::/64 | DMZ Network |
| 10.126.163.0/24 | 2001:1af8:fecf:7ea3::/64 | VPN trunk |
| 10.126.164.0/24 | 2001:1af8:fecf:7ea4::/64 | Spare |
| 10.126.165.0/24 | 2001:1af8:fecf:7ea5::/64 | Spare |
| 10.126.166.0/24 | 2001:1af8:fecf:7ea6::/64 | Spare |
| 10.126.167.0/24 | 2001:1af8:fecf:7ea7::/64 | Spare |
Install OpenVPN.
Install OpenVPN on our local machine, create a working directory for the configuration, and generate a static key.
root@gateway:~# mkdir -p /etc/openvpn/wpl_mbse root@gateway:/etc/openvpn/wpl_mbse# cd /etc/openvpn/wpl_mbse/ root@gateway:/etc/openvpn/wpl_mbse# openvpn --genkey --secret static.key root@gateway:/etc/openvpn/wpl_mbse# chmod 400 static.key root@gateway:/etc/openvpn/wpl_mbse#
Then in /etc/openvpn/wpl_mbse create wpl_mbse.up:
#!/bin/sh
/sbin/ifconfig $1 10.126.163.1 netmask 255.255.255.0 broadcast 10.126.163.255 \
add 2001:1af8:fecf:7ea3::1/64
/sbin/route add -net 10.xxx.xxx.x netmask 255.255.248.0 gw 10.126.163.2
/sbin/route -A inet6 add 2001:1af8:feb8::/48 gw 2001:1af8:fecf:7ea3::2 $1
Then in /etc/openvpn/wpl_mbse create wpl_mbse.down:
#!/bin/sh /sbin/route -A inet6 del 2001:1af8:feb8::/48 gw 2001:1af8:fecf:7ea3::2 $1 /sbin/route del -net 10.xxx.xxx.x netmask 255.255.248.0 gw 10.126.163.2 /sbin/ifconfig $1 del 2001:1af8:fecf:7ea3::1/64 /sbin/ifconfig $1 down
Make these both scripts mode 0755 and create /etc/openvpn/wpl_mbse.conf:
cd /etc/openvpn/wpl_mbse remote 192.168.xxx.xxx port 1196 dev tap0 keepalive 10 120 proto udp persist-key persist-tun verb 1 comp-lzo cipher DES-EDE3-CBC # Triple-DES script-security 3 up wpl_mbse.up down wpl_mbse.down secret static.key
A few remarks:
- the remote address should be a fqdn (Full Qualified Domain Name) if possible, if the remote is on a dynamic IP and the IP changes, and everything is configured using some dynamic DNS updater, you have more chance to reconnect.
- We use UDP port 1196 instead of 1194, leave 1194 (standard) and 1195 for ad-hoc road warriors to connect to the LAN. This is a different story to tell.
- The directory and scripts are named after the from and to second level domain names. Do what you think fits best, but keep in mind that you can have more then one point-to-point connection.
- The persists and keepalive parameters make sure that the connection automatic reconnects if there was a problem on the Internet or with the other side of the link.
- This setup makes us a client and server, both sides try to (re)start the connection at regular intervals.
- So the firewall need to allow UDP port 1196 out and in.
On the remote you need the opposite configuration, but you don’t need to create the file static.key. Instead you must install our local generated key on the remote. This key file is the weak point, if you ever think it is stolen, generate a new key and use that.
Starting the link.
I have written an sysv init script /etc/rc.d/init.d/openvpn that with the following contents:
#!/bin/sh
#
# sysv init script to start and stop openvpn connections on Slackware.
#
# Copyright 2012 Michiel Broek, The Netherlands.
CFGDIR="/etc/openvpn"
STATEDIR="/var/run/openvpn"
case "$1" in
start)
echo -n "Starting openvpn connections: "
success=0
mkdir -p "${STATEDIR}"
for cfg in "${CFGDIR}"/*.conf; do
echo -n "$(basename "${cfg}" .conf) "
/usr/sbin/openvpn --daemon --writepid "${STATEDIR}"/"$(basename "${cfg}" .
conf)".pid --cd "${CFGDIR}" --config "${cfg}" || success=$?
done
echo ""
;;
stop)
echo -n "Stopping openvpn connections: "
for pidfile in "${STATEDIR}"/*.pid; do
echo -n "$(basename "${pidfile}" .pid) "
kill $(cat "${pidfile}" 2>/dev/null) 2>/dev/null
rm -f "${pidfile}"
done
echo ""
;;
restart)
$0 stop
sleep 1
$0 start
;;
status)
echo -n "Openvpn connections: "
mkdir -p "${STATEDIR}"
for cfg in "${CFGDIR}"/*.conf; do
if [ -f "${STATEDIR}"/"$(basename "${cfg}" .conf)".pid ]; then
echo -n "$(basename "${cfg}" .conf)=up "
else
echo -n "$(basename "${cfg}" .conf)=down "
fi
done
echo ""
;;
*)
echo "usage: $0 {start|stop|restart|status}"
esac
Now create symlinks for runlevel 3 and 4 to start openvpn and start openvpn:
root@gateway:/etc/rc.d/rc3.d# ln -s ../init.d/openvpn S01openvpn root@gateway:/etc/rc.d/rc3.d# ln -s ../init.d/openvpn K99openvpn root@gateway:/etc/rc.d/rc3.d# cd ../rc4.d root@gateway:/etc/rc.d/rc4.d# ln -s ../init.d/openvpn S01openvpn root@gateway:/etc/rc.d/rc4.d# ln -s ../init.d/openvpn K99openvpn root@gateway:/etc/rc.d/rc4.d# /etc/rc.d/init.d/openvpn start Starting openvpn connections: wpl_mbse root@gateway:/etc/rc.d/rc4.d#
In your firewall you need to add this new network interface including the IPv4 and IPv6 addresses. Then, add a policy rule to allow all traffic on that interface. You can check the link with some ping commands:
mbroek@mgmtws:~$ ping -c1 10.126.163.2 PING 10.126.163.2 (10.126.163.2) 56(84) bytes of data. 64 bytes from 10.126.163.2: icmp_req=1 ttl=62 time=4.83 ms --- 10.126.163.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.831/4.831/4.831/0.000 ms mbroek@mgmtws:~$ ping6 -c1 2001:1af8:fecf:7ea3::2 PING 2001:1af8:fecf:7ea3::2(2001:1af8:fecf:7ea3::2) 56 data bytes 64 bytes from 2001:1af8:fecf:7ea3::2: icmp_seq=1 ttl=62 time=5.40 ms --- 2001:1af8:fecf:7ea3::2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 5.404/5.404/5.404/0.000 ms mbroek@mgmtws:~$
Download.
See the download page for the script and configuration files.