The remote access mechanism at IMSc has been described earlier.
That access mechanism allows one to use SOCKS to create a network tunnel and so create the feeling of working from within the IMSc LAN. However,
- It is quite cumbersome to setup and bring down.
- A number of clients do not support SOCKS so one needs to "socksify".
The IMSc VPN was setup to resolve these problems.
It required a lot of configuration as outlined below. So it felt like this was a worthwhile time to introduce bandwidth reduction for un-registered users of campus Wi-Fi. Legitimate users could "register" via an internal VPN!
This also resulted in an article in the Linux Gazette.
Details of changes
Changes on "agni"
a. Traffic shaping to reduce bandwidth for DHCP address.
b. Two POSTROUTING rules so that:
i. When LAN machines connect to `access.imsc.res.in`
it uses the `users.imsc.res.in` address.
ii. The above rule is skipped for `neem.imsc.res.in`
which uses its own address.
Openvpn server on "neem".
a. The address range for the VPN was chosen "randomly" out
of the 10.x.x.x address range with a mask of 255.255.255.0.
b. Addition of a MASQUERADE rule and FORWARD
rules and "neem" as follows:
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-P FORWARD DROP
-A POSTROUTING -o eth0 -j MASQUERADE
c. Forwarding enabled in /etc/network/options on neem.
d. The CA for this openvpn is in peepul:/root/openvpn/CA. The
README there gives instructions on how to add/sign SSL keys.
Static-key tunnel VPN server on "neem" which connects to "access".
a. The static key needs to be in /etc/openvpn on "neem" and "access".
b. The config file for the "neem" side is the client the VPN
tunnel so that the connection is opened and closed from inside
the firewall.
c. The config files for the "access" side are access-lan.conf
and access.up. The latter is a script (see d-iv).
d. This has required some changes on "access".
i. There is now a static route to "neem" via the
external interface to agni.
ii. We allow incoming packets from "neem" for the 1195 port
that is used for the VPN.
-A INPUT -s 172.16.1.28 -p udp -m udp --dport 1195 -j ACCEPT
iii. We allow arbitrary connections going out towards
the LAN addresses.
-A OUTPUT -d 172.16.0.0/255.255.240.0 -j ACCEPT
iv. Once the tunnel is up the script access.up sets a
static route to the LAN via the tunnel.
e. We can eventually drop the entire "access" iptables entry
on "agni".
An "external" VPN server on "access".
The CA is the same as that on "neem". Those who connect with CA signed SSL keys to this VPN server will get direct access to the LAN. The relevant configuration files are at neem:/root/openvpn/access_server.
a. Forwarding is enabled on "access".
b. The following additional rules for FORWARD
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o tun1 -j ACCEPT
-A FORWARD -j DROP
-P FORWARD DROP