Mast Kalandar

bandar's colander of random jamun aur aam

Thu, 03 May 2007

< Saying "No" to Windows Vista | · | A response to a response >

Setting up IMSc's VPN


Tags: , , [link] [comments (0)] [raw]

The remote access mechanism at IMSc has been described earlier.

That access mechanism allows one to use SOCKS to create a network tunnel and so create the feeling of working from within the IMSc LAN. However,

The IMSc VPN was setup to resolve these problems.

It required a lot of configuration as outlined below. So it felt like this was a worthwhile time to introduce bandwidth reduction for un-registered users of campus Wi-Fi. Legitimate users could "register" via an internal VPN!

This also resulted in an article in the Linux Gazette.

Details of changes

Changes on "agni"
a. Traffic shaping to reduce bandwidth for DHCP address.

b. Two POSTROUTING rules so that:

    i. When LAN machines connect to `access.imsc.res.in`
       it uses the `users.imsc.res.in` address.
    ii. The above rule is skipped for `neem.imsc.res.in`
       which uses its own address.

Openvpn server on "neem".
a. The address range for the VPN was chosen "randomly" out
   of the 10.x.x.x address range with a mask of 255.255.255.0.

b. Addition of a MASQUERADE rule and FORWARD
   rules and "neem" as follows:

    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i tun+ -j ACCEPT
    -P FORWARD DROP
    -A POSTROUTING -o eth0 -j MASQUERADE

c. Forwarding enabled in /etc/network/options on neem.

d. The CA for this openvpn is in peepul:/root/openvpn/CA. The
README there gives instructions on how to add/sign SSL keys.

Static-key tunnel VPN server on "neem" which connects to "access".
a. The static key needs to be in /etc/openvpn on "neem" and "access".

b. The config file for the "neem" side is the client the VPN
   tunnel so that the connection is opened and closed from inside
   the firewall.

c. The config files for the "access" side are access-lan.conf
   and access.up. The latter is a script (see d-iv).

d. This has required some changes on "access".
    i. There is now a static route to "neem" via the
    external interface to agni.
    ii. We allow incoming packets from "neem" for the 1195 port
    that is used for the VPN.
        -A INPUT -s 172.16.1.28 -p udp -m udp --dport 1195 -j ACCEPT
    iii. We allow arbitrary connections going out towards
    the LAN addresses.
        -A OUTPUT -d 172.16.0.0/255.255.240.0 -j ACCEPT
    iv. Once the tunnel is up the script access.up sets a
        static route to the LAN via the tunnel.

e. We can eventually drop the entire "access" iptables entry
   on "agni".

An "external" VPN server on "access".

The CA is the same as that on "neem". Those who connect with CA signed SSL keys to this VPN server will get direct access to the LAN. The relevant configuration files are at neem:/root/openvpn/access_server.

a. Forwarding is enabled on "access".

b. The following additional rules for FORWARD

    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i tun0 -o tun1 -j ACCEPT
    -A FORWARD -j DROP
    -P FORWARD DROP


Name
E-mail (will not be displayed)
OpenID (required)
Simple HTML and wiki markup are allowed.

Archives

< May 2007 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000, 1999, 1997, 1995,