Simple single user VPN with OpenVPN as NAT Gateway
Posted on Thu 24 April 2014 in misc
Here's a quick brain-dump on setting up a single user VPN as a NAT gateway for use when i'm out and about.
I used the openvpn package from epel.
Note that in these examples the: tunnel endpoint = tun0
server tunnel address = 10.99.66.2
client tunnel address = 10.99.66.1
public interface = eth0
Create a user and group "openvpn" (the Epel rpm does this for you) e.g.
groupadd -r openvpn
useradd -r -g openvpn -s /sbin/nologin -c OpenVPN -d /etc/openvpn openvpn
Create a static key file which we use on server and on the client and set some secure perms (should be done already)
openvpn --genkey --secret /etc/openvpn/secret.key
sudo chown root:root /etc/openvpn/secret.key
sudo chmod 600 /etc/openvpn/secret.key
Create /etc/openvpn/server.conf
(I've annotated the options)
# Run in single user tunnel mode
mode p2p
# Run only on the right address / interface
local (host or ip)
# Always setup and use tun0
dev tun0
# set addresses for local and remote tunnel endpoints
# ifconfig local remote
ifconfig 10.99.66.2 10.99.66.1
# Use UDP on port x
proto udp
port 1194
# Drop to openvpn:openvpn after starting
user openvpn
group openvpn
# use a static key
#(gen with openvpn --genkey --secret /etc/openvpn/secret.key)
secret secret.key
# Use separate keys for each traffic direction
# see https://openvpn.net/index.php/download/60-open-source/faq.html
key-direction 0
# Don't re-read key on ping restart as we won't have enough perms
persist-key
# Don't restart tun0 on ping restart as we won't have enough perms
persist-tun
# Keep alive (openvpn ping every 10s, ping restart if no traffic for 120s)
keepalive 10 120
#Use compression
comp-lzo
# Logging and log level
log-append /var/log/openvpn.log
verb 3
Client Config file e.g. client.ovpn
Notice here how we include the secret key all in one file - this works really well for easy deployment on android vpn client and tunnelblick
remote (ip or host of VPN server)
dev tun
ifconfig 10.99.66.1 10.99.66.2
proto udpport 1194
comp-lzo
ping 10
key-direction 1
<secret>
-----BEGIN OpenVPN Static key V1-----
a4a4d5d7d9d8d7d7d424242......
-----END OpenVPN Static key V1-----
</secret>
Should now be able to ping across the tunnel may need to add a rule to iptables if you are blocking all inbound traffic
i.e.
-A INPUT -i tun0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
Finally enable routing at the kernel level, routing through iptables and NAT
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -s 10.99.66.1/32 -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -d 10.99.66.1/32 -i eth0 -o tun0 -j ACCEPT ]
iptables -t nat -A POSTROUTING -s 10.99.66.1 -o eth0 -j MASQUERADE]
For reference here is my /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# NAT traffic coming from the remote VPN endpoint to the internet
-A POSTROUTING -s 10.99.66.1/32 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow all inbound traffic on lo
-A INPUT -i lo -j ACCEPT
# Allow vpn and ssh on public interface
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
# Allow outbound related traffic back in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ping inbound on the vpn - useful for testing
-A INPUT -i tun0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allow NATed traffic which has to be routed across the interfaces
-A FORWARD -s 10.99.66.1/32 -i tun0 -o eth0 -j ACCEPT
-A FORWARD -d 10.99.66.1/32 -i eth0 -o tun0 -j ACCEPT
COMMIT