VPN tunnel from DO to private network

July 21, 2016 2.7k views
Networking VPN Security Ubuntu 16.04

Hello,

I'm running a local network, with a few web servers and what not. For some of my web servers, I use a DO server as a reverse proxy and cache.

As of right now it is just connecting through the public IPs, but I wish to create a private VPN (or sock) tunnel between the DO server and my private network. I've searched this DO site and google, but they mostly come up with a normal VPN client which is not what I need. The VPN doesn't need to forward any traffic, just simply provide a private (secure) network between the two networks.

The server which i use on DO is Ubuntu 16.04, and the load balancer on my private network is a raspberry pi running Raspbian.

Anyone able to help me out? or at least point me the right way?

10 comments
  • "The VPN doesn't need to forward any traffic, just simply provide a private (secure) network between the two networks."

    VPNs accomplish this by routing traffic.

    Just keep googling and use the tutorials you thought wouldn't work, they're probably perfectly appropriate. Check out OpenVPN.

  • As I wrote, I've already tried that, and also tried the tuts I could find, but nothing worked out. Hence I created this.

  • @Geekologist - Can you just setup a ssh session from your Raspberry Pi to your droplet, with pre-selected tunnels to specific ports?

  • @gndo I've been thinking on that, since I already have 1 ssh session from my workstation to my DO server. Just wasn't sure how to make it the other way around, so that the connection is from the server to my network?

  • @Geekologist - I think what you want is port forwarding using iptables. Check out that DO tutorial if that fits your needs. Note: I haven't set that up, so can't help you much past the tutorial.
    {Edit: that might not been the link you wanted, since that was between 2 droplets. Try instead this tunneling tutorial }

    In this article, you'll learn how to create a safe, encrypted tunnel between your computer and your VPS along with how to bypass limits in a corporate network, how to bypass NAT, etc.
  • I have a setup that will do what you want:

    • DO Droplet runs an OpenVPN Server ( I used this script to set up the server and generate my client-connect files: https://github.com/Nyr/openvpn-install )
    • My Private Network uses a DDWRT Router with OpenVPN Client installed -All Computers on the private network can access the the OpenVPN server and vice-versa since they use the DDWRT Router as the gateway
    • I also have a couple of other DO Droplets connected as clients to the OpenVPN server and those Droplets can also access all the computers on the private network and vice-versa.

    You can use IPTables to further lock everything down. For example, one of the DO droplets run a database server. I have that locked down so only specific computers/droplets can access that db server via the VPN.

    The DDWRT Router cost me about $30.00 from Amazon

    Furthermore, you can install the same router on other private networks and have them join your VPN as well.

    My setup has 3 different home-networks joined (each with a DDWRT router as the client)...I can access all 3 home networks. One of the home-networks has a Plex Server, the other runs some office printers.

    Works great. Took a lot of dinkering, but once I got it all set up I was able to duplicate it easily for someone else. It has been rock-solid for several months now.

    -Encrypted Private Network
    -Access to other small networks
    -Shared Media Server
    -Central Database only accessible from the VPN

    Lots of other use-cases

  • @gndo, the first link was correct, the second link is how I already do it from my Workstation.
    Was unable to get Nginx to listen on the new private IP, I could ping both IP's.

    @sierracircle, Thank you for your answer, very useful!
    The option you describe, could be done with server-server, instead of server-router? I'll take a look at the link you sent.

  • @sierracircle, I've been successful using your link yo setup the server / client.

    Another problem is now that I can only ping one way, from my network to DO, not from DO to my network. I've opened op the port I choose doing the install, also opened the port stated when doing an netstat -pln.

    Anyone knows of a port that I need to open?

  • The option you describe, could be done with server-server, instead of server-router?

    Yes..the DDWRT router is basically a small linux server with some router stuff built in. You could totally set up another linux server as a client, and even configure that server to be a router for other computers behind it.

    Another problem is now that I can only ping one way, from my network to DO, not from DO to my network

    Are you pinging the tun0 address or the network addresses?

    If I remember correctly, the trick was you have to kind of tell the server where the clients are so it can send replies to them

    On OpenVPN server, in /etc/openvpn create a folder called ccd
    then, in the server.conf file add a line like this:

    client-config-dir ccd
    

    then, in the ccd folder, create a file for each client (name it whatever you called the client when creating the ovpn file) and add something like this to the file:

    ifconfig-push 10.8.0.11 10.8.0.12
    iroute 10.1.3.0 255.255.255.0
    

    the first line is the static tun0 ip address for that particular client..note how it has the next address above it reserved as well...so that line will be different for each client so you are not assigning the same address to each client.
    The second line is the subnet you are using for that particular client.

    I seem to remember something else that needs to be added to the server.conf, but try that and let me know if it works for you.

  • Also, I remembered that there is some IPTables things to do on your OpenVPN server:

    Allow TUN interface connections to OpenVPN server
    sudo iptables -A INPUT -i tun+ -j ACCEPT
    
    Allow TUN interface connections to be forwarded through other interfaces
    sudo iptables -A FORWARD -i tun+ -j ACCEPT
    sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    NAT the VPN client traffic to the Internet.
    sudo iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
    
    If your default iptables OUTPUT value is not ACCEPT, you will also need to do this:
    sudo iptables -A OUTPUT -o tun+ -j ACCEPT
    

    Of course, test and if that works then save your IPTABLES rules :

    to save the rules after reboot, you can install this:
        sudo apt-get update&&apt-get install iptables-persistent
    
    If it is already installed, save your firewall rules with this command:

    ####for 14.04

        sudo invoke-rc.d iptables-persistent save
    

    #####for 16.04

        sudo netfilter-persistent save
    
3 Answers
BrookDO July 22, 2016
Accepted Answer

This question was answered by @sierracircle:

The option you describe, could be done with server-server, instead of server-router?

Yes..the DDWRT router is basically a small linux server with some router stuff built in. You could totally set up another linux server as a client, and even configure that server to be a router for other computers behind it.

Another problem is now that I can only ping one way, from my network to DO, not from DO to my network

Are you pinging the tun0 address or the network addresses?

If I remember correctly, the trick was you have to kind of tell the server where the clients are so it can send replies to them

On OpenVPN server, in /etc/openvpn create a folder called ccd
then, in the server.conf file add a line like this:

client-config-dir ccd

then, in the ccd folder, create a file for each client (name it whatever you called the client when creating the ovpn file) and add something like this to the file:

ifconfig-push 10.8.0.11 10.8.0.12
iroute 10.1.3.0 255.255.255.0

the first line is the static tun0 ip address for that particular client..note how it has the next address above it reserved as well...so that line will be different for each client so you are not assigning the same address to each client.
The second line is the subnet you are using for that particular client.

I seem to remember something else that needs to be added to the server.conf, but try that and let me know if it works for you.

View the original comment

This question was answered by @sierracircle:

I have a setup that will do what you want:

  • DO Droplet runs an OpenVPN Server ( I used this script to set up the server and generate my client-connect files: https://github.com/Nyr/openvpn-install )
  • My Private Network uses a DDWRT Router with OpenVPN Client installed -All Computers on the private network can access the the OpenVPN server and vice-versa since they use the DDWRT Router as the gateway
  • I also have a couple of other DO Droplets connected as clients to the OpenVPN server and those Droplets can also access all the computers on the private network and vice-versa.

You can use IPTables to further lock everything down. For example, one of the DO droplets run a database server. I have that locked down so only specific computers/droplets can access that db server via the VPN.

The DDWRT Router cost me about $30.00 from Amazon

Furthermore, you can install the same router on other private networks and have them join your VPN as well.

My setup has 3 different home-networks joined (each with a DDWRT router as the client)...I can access all 3 home networks. One of the home-networks has a Plex Server, the other runs some office printers.

Works great. Took a lot of dinkering, but once I got it all set up I was able to duplicate it easily for someone else. It has been rock-solid for several months now.

-Encrypted Private Network
-Access to other small networks
-Shared Media Server
-Central Database only accessible from the VPN

Lots of other use-cases

View the original comment

Have another answer? Share your knowledge.