Developers Club geek daily blog

3 years, 6 months ago
 we Lift the VPN-tunnel from the world home bypassing NAT

I want to tell to you about that as having on the Internet the VPS-server it is possible to lift the tunnel in a home network. And not to pay thus for static IP to the provider, and even being for NAT, all the same to make accessible on the Internet the house services.

Initial data


  • VPS the server on debian with static real IP
  • a router with insertion OpenWRT which is for provajderskim NAT
  • a home network with computers and the virtual machines in 192.168.1.0/24


tunnel Adjustment


First of all we install and we adjust OpenVPN the server on ours VPS:
  apt-get update
apt-get install openvpn
 

Let's edit a configuration file:
  vi/etc/openvpn/tun0.conf
 
  dev tun0
ifconfig 10.9.8.1 10.9.8.2
secret/etc/openvpn/static.key
 

Here 10.9.8.x there will be our VPN-network, in which 10.9.8.1 address we naznachem to the VPN-server, and 10.9.8.2 address to the VPN-client.

Still we will need to generate a key with which to be connected to the server our router:
  openvpn - genkey - secret static.key
 

Also it is possible to launch a demon:
  service openvpn start
 


Now we install OpenVPN on our router with which we will initialize VPN-connection:
  opkg update
opkg install openvpn
 

Let's copy a key on ours ruter, ispoljuzuja scp :
  scp root@your-server.org:/etc/openvpn/static.key/etc/openvpn/static.key 
 

Let's edit an interface configuration:
  vi/etc/openvpn/tun0.conf
 
  remote your-server.org
dev tun0
ifconfig 10.9.8.2 10.9.8.1
secret/etc/openvpn/static.key
 

Also we muster, whether all at us earns:
  openvpn - config/etc/openvpn/tun0.conf 
 

If all ok we launch and we add OpenVPN a demon in a StartUp:
 /etc/init.d/openvpn start
/etc/init.d/openvpn enable
 


Some words about NAT


Because the router at me is for provajderskim NAT after tunnel start, and at absence what or activity after, the joint simply ceased to work for me until from client side to the server one any packet does not come at least.

Therefore I decided to send ping on the address of my VPN-server each 30 seconds. It it appeared enough, but in connection with absence of understanding of a key-i at ping command my OpenWRT-router it was necessary to write small skriptik:
  vi/bin/ping-vps.sh
 
 #!/bi n/sh
while true; do
        ping-c 1 10.9.8.1
        sleep 30
done
 

Then I made its executed
  chmod +x/bin/ping-vps.sh
 

Also added in/etc/rc.local a line for a StartUp:
 /bin/ping-vps.sh &
 

It is necessary to Add before exit 0 without forgetting & in the end of a line, it forces not to expect the termination of performance of our script at router start, as it at us in a scraper

Routing


Now we adjust routing.

That we VPS would know that the way to our home network lies through a router, it the vpn-client, it is necessary to add statischesky an itinerary:
  route add-net 192.168.1.0 netmask 255.255.255.0 tun0
 

To register it it is possible in the same /etc/rc.local on VPS the server

That our router would pass our server in a home network, and machines from a home network passed to the server, it is necessary to add following rules on a router.

Let's create a file and we write down in it these rules:
  vi/etc/iptables.up.rules
 
 #!/bi n/sh

#Allow forwarding via tunnel
iptables-I INPUT-i tun +-j ACCEPT
iptables-I FORWARD-i tun +-j ACCEPT
iptables-I OUTPUT-o tun +-j ACCEPT
iptables-I FORWARD-o tun +-j ACCEPT
 

As we make its executed:
  chmod +x/bin/ping-vps.sh
 

Also we add it in /etc/rc.local for a StartUp:
 /etc/iptables.up.rules
 


Basically all is ready.
Our networks are connected, all machines perfectly each other see and exchange packets.
Now, at desire, it is possible to adjust probros ports with exterior on an address within the block.

Here so, for example, looks probros ssh port on one of machines at me on a home network:
 # Forward SSH port to server
iptables-t nat-A PREROUTING-d XX.XX.XX.XXX-p tcp - dport 666-j DNAT - to-dest 192.168.1.200:22
iptables-t nat-A POSTROUTING-d 192.168.1.200-p tcp - dport 22-j SNAT - to-source 10.9.8.1
 

Where XX.XX.XX.XXX ≈ exterior IP servers, 192.168.1.200 ≈ IP my machine in a home network, 666 ≈ port at reversal to which I get on this machine

PS: If something is impossible to you be convinced that on yours VPS is and all units of a kernel necessary for it
are connected

Sources


At paper writing, I used the information from following sources:

This article is a translation of the original post at habrahabr.ru/post/216101/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus