VPN tunnel from DO to private network

July 21, 2016 16.3k views
Security Ubuntu 16.04 VPN Networking

Hello,

I’m running a local network, with a few web servers and what not. For some of my web servers, I use a DO server as a reverse proxy and cache.

As of right now it is just connecting through the public IPs, but I wish to create a private VPN (or sock) tunnel between the DO server and my private network. I’ve searched this DO site and google, but they mostly come up with a normal VPN client which is not what I need. The VPN doesn’t need to forward any traffic, just simply provide a private (secure) network between the two networks.

The server which i use on DO is Ubuntu 16.04, and the load balancer on my private network is a raspberry pi running Raspbian.

Anyone able to help me out? or at least point me the right way?

10 comments
  • “The VPN doesn’t need to forward any traffic, just simply provide a private (secure) network between the two networks.”

    VPNs accomplish this by routing traffic.

    Just keep googling and use the tutorials you thought wouldn’t work, they’re probably perfectly appropriate. Check out OpenVPN.

  • As I wrote, I’ve already tried that, and also tried the tuts I could find, but nothing worked out. Hence I created this.

  • @Geekologist - Can you just setup a ssh session from your Raspberry Pi to your droplet, with pre-selected tunnels to specific ports?

  • @gndo I’ve been thinking on that, since I already have 1 ssh session from my workstation to my DO server. Just wasn’t sure how to make it the other way around, so that the connection is from the server to my network?

  • @Geekologist - I think what you want is port forwarding using iptables. Check out that DO tutorial if that fits your needs. Note: I haven’t set that up, so can’t help you much past the tutorial.
    {Edit: that might not been the link you wanted, since that was between 2 droplets. Try instead this tunneling tutorial }

    In this article, you'll learn how to create a safe, encrypted tunnel between your computer and your VPS along with how to bypass limits in a corporate network, how to bypass NAT, etc.
  • Show 5 more comments
3 Answers

This question was answered by @sierracircle:

The option you describe, could be done with server-server, instead of server-router?

Yes..the DDWRT router is basically a small linux server with some router stuff built in. You could totally set up another linux server as a client, and even configure that server to be a router for other computers behind it.

Another problem is now that I can only ping one way, from my network to DO, not from DO to my network

Are you pinging the tun0 address or the network addresses?

If I remember correctly, the trick was you have to kind of tell the server where the clients are so it can send replies to them

On OpenVPN server, in /etc/openvpn create a folder called ccd
then, in the server.conf file add a line like this:

client-config-dir ccd

then, in the ccd folder, create a file for each client (name it whatever you called the client when creating the ovpn file) and add something like this to the file:

ifconfig-push 10.8.0.11 10.8.0.12
iroute 10.1.3.0 255.255.255.0

the first line is the static tun0 ip address for that particular client..note how it has the next address above it reserved as well…so that line will be different for each client so you are not assigning the same address to each client.
The second line is the subnet you are using for that particular client.

I seem to remember something else that needs to be added to the server.conf, but try that and let me know if it works for you.

View the original comment

This question was answered by @sierracircle:

I have a setup that will do what you want:

  • DO Droplet runs an OpenVPN Server ( I used this script to set up the server and generate my client-connect files: https://github.com/Nyr/openvpn-install )
  • My Private Network uses a DDWRT Router with OpenVPN Client installed -All Computers on the private network can access the the OpenVPN server and vice-versa since they use the DDWRT Router as the gateway
  • I also have a couple of other DO Droplets connected as clients to the OpenVPN server and those Droplets can also access all the computers on the private network and vice-versa.

You can use IPTables to further lock everything down. For example, one of the DO droplets run a database server. I have that locked down so only specific computers/droplets can access that db server via the VPN.

The DDWRT Router cost me about $30.00 from Amazon

Furthermore, you can install the same router on other private networks and have them join your VPN as well.

My setup has 3 different home-networks joined (each with a DDWRT router as the client)…I can access all 3 home networks. One of the home-networks has a Plex Server, the other runs some office printers.

Works great. Took a lot of dinkering, but once I got it all set up I was able to duplicate it easily for someone else. It has been rock-solid for several months now.

-Encrypted Private Network
-Access to other small networks
-Shared Media Server
-Central Database only accessible from the VPN

Lots of other use-cases

View the original comment

Have another answer? Share your knowledge.