I want to tell to you about that as having on the Internet the VPS-server it is possible to lift the tunnel in a home network. And not to pay thus for static IP to the provider, and even being for NAT, all the same to make accessible on the Internet the house services.
- VPS the server on debian with static real IP
- a router with insertion OpenWRT which is for provajderskim NAT
- a home network with computers and the virtual machines in 192.168.1.0/24
First of all we install and we adjust OpenVPN the server on ours VPS:
apt-get update apt-get install openvpn
Let's edit a configuration file:
dev tun0 ifconfig 10.9.8.1 10.9.8.2 secret/etc/openvpn/static.key
Here 10.9.8.x there will be our VPN-network, in which 10.9.8.1 address we naznachem to the VPN-server, and 10.9.8.2 address to the VPN-client.
Still we will need to generate a key with which to be connected to the server our router:
openvpn - genkey - secret static.key
Also it is possible to launch a demon:
service openvpn start
Now we install OpenVPN on our router with which we will initialize VPN-connection:
opkg update opkg install openvpn
Let's copy a key on ours ruter, ispoljuzuja scp :
Let's edit an interface configuration:
remote your-server.org dev tun0 ifconfig 10.9.8.2 10.9.8.1 secret/etc/openvpn/static.key
Also we muster, whether all at us earns:
openvpn - config/etc/openvpn/tun0.conf
If all ok we launch and we add OpenVPN a demon in a StartUp:
/etc/init.d/openvpn start /etc/init.d/openvpn enable
Some words about NAT
Because the router at me is for provajderskim NAT after tunnel start, and at absence what or activity after, the joint simply ceased to work for me until from client side to the server one any packet does not come at least.
Therefore I decided to send ping on the address of my VPN-server each 30 seconds. It it appeared enough, but in connection with absence of understanding of a key-i at ping command my OpenWRT-router it was necessary to write small skriptik:
#!/bi n/sh while true; do ping-c 1 10.9.8.1 sleep 30 done
Then I made its executed
Also added in/etc/rc.local a line for a StartUp:
It is necessary to Add before exit 0 without forgetting & in the end of a line, it forces not to expect the termination of performance of our script at router start, as it at us in a scraper
Now we adjust routing.
That we VPS would know that the way to our home network lies through a router, it the vpn-client, it is necessary to add statischesky an itinerary:
route add-net 192.168.1.0 netmask 255.255.255.0 tun0
To register it it is possible in the same /etc/rc.local on VPS the server
That our router would pass our server in a home network, and machines from a home network passed to the server, it is necessary to add following rules on a router.
Let's create a file and we write down in it these rules:
#!/bi n/sh #Allow forwarding via tunnel iptables-I INPUT-i tun +-j ACCEPT iptables-I FORWARD-i tun +-j ACCEPT iptables-I OUTPUT-o tun +-j ACCEPT iptables-I FORWARD-o tun +-j ACCEPT
As we make its executed:
Also we add it in /etc/rc.local for a StartUp:
Basically all is ready.
Our networks are connected, all machines perfectly each other see and exchange packets.
Now, at desire, it is possible to adjust probros ports with exterior on an address within the block.
Here so, for example, looks probros ssh port on one of machines at me on a home network:
# Forward SSH port to server iptables-t nat-A PREROUTING-d XX.XX.XX.XXX-p tcp - dport 666-j DNAT - to-dest 192.168.1.200:22 iptables-t nat-A POSTROUTING-d 192.168.1.200-p tcp - dport 22-j SNAT - to-source 10.9.8.1
Where XX.XX.XX.XXX ≈ exterior IP servers, 192.168.1.200 ≈ IP my machine in a home network, 666 ≈ port at reversal to which I get on this machine
PS: If something is impossible to you be convinced that on yours VPS is and all units of a kernel necessary for it
At paper writing, I used the information from following sources:
This article is a translation of the original post at habrahabr.ru/post/216101/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: firstname.lastname@example.org.
We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.