Set up a VPN, route samba over it
- install openvpn on your server and your client
generate the certificates as in the official HOWTO:
root@server:/etc/openvpn/easy-rsa# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa root@server:/etc/openvpn/easy-rsa# cd /etc/openvpn/easy-rsa
Edit /etc/openvpn/easy-rsa/vars and fill in the appropiate values
root@server:/etc/openvpn/easy-rsa# . ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys root@server:/etc/openvpn/easy-rsa# ./clean-all root@server:/etc/openvpn/easy-rsa# ./build-ca Generating a 1024 bit RSA private key ......................++++++ ........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [HK]: State or Province Name (full name) [New Territories]: Locality Name (eg, city) [Tuen Mun]: Organization Name (eg, company) [Home]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [OpenVPN-CA]: Name [OpenVPN-CA]: Email Address [[email protected]]: root@server:/etc/openvpn/easy-rsa# ./build-key-server server Generating a 1024 bit RSA private key ...............++++++ ..........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [HK]: State or Province Name (full name) [New Territories]: Locality Name (eg, city) [Tuen Mun]: Organization Name (eg, company) [Home]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [server]: Name [OpenVPN-CA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'HK' stateOrProvinceName :PRINTABLE:'New Territories' localityName :PRINTABLE:'Tuen Mun' organizationName :PRINTABLE:'Home' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'server' name :PRINTABLE:'OpenVPN-CA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Mar 18 13:18:09 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated root@server:/etc/openvpn/easy-rsa# ./build-key client Generating a 1024 bit RSA private key ..........++++++ ...................................................++++++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [HK]: State or Province Name (full name) [New Territories]: Locality Name (eg, city) [Tuen Mun]: Organization Name (eg, company) [Home]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [client]: Name [OpenVPN-CA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'HK' stateOrProvinceName :PRINTABLE:'New Territories' localityName :PRINTABLE:'Tuen Mun' organizationName :PRINTABLE:'Home' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'client' name :PRINTABLE:'OpenVPN-CA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Mar 18 13:20:00 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated root@server:/etc/openvpn/easy-rsa# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ............................................................................+..................+...........+...........................+..............+..............................................................+......................................................................................................+......................................................................................+..............................................................................+..................+.................+..................................................................+.........................................+...........+..........................................................................................+..............................................+....................................+...................+....+..+................+.+.........+..............................................................+....................................................................................................................+...........+.....................................................................................................................................+.........................................................+...........................................................+.......................................................................................................................................................................................................................................+..............+..............................................................................................................................................+............................+..........................................+....................................................................................................................................++*++*++*
copy the needed files from /etc/openvpn/easy-rsa/keys on the server to /etc/openvpn
for server: ca.crt dh1024.pem server.crt server.key
for client: ca.crt client.crt client.key
copy the appropriate sample configuration files from /usr/share/doc/openvpn/examples/sample-config-files/ to /etc/openvpn and decompress them
server: server.conf.gz
client: client.conf
- The server configuration file should be workable by default
edit the "remote" entry on the client /etc/openvpn/client.conf
Input the server name / IP-address. No other changes needs to be done
- Open up UDP 1194 on the server's firewall
The service is ready to start now, the server is at 10.8.0.1
I assume you only need to access the server, additional work need to be done if you want to access other internal networks.
configure samba to listen on 10.8.0.0/24
Everything should have been done, leave comment here if something goes wrong.
Related videos on Youtube
Huckle
Updated on September 18, 2022Comments
-
Huckle almost 2 years
I get 3 IP addresses from my ISP, so after my modem I have a switch with three things. Two are servers, one is a router. All my personal computers are behind the router. My old server used to have two ethernet ports, so I would put one on the switch and one on the router so that I could keep server traffic off the router and still be able to have samba shares for media.
My new lower-power server only has one LAN. I will eventually get a USB ethernet plug for it, but until then I'd like to still have my samba shares. I thought to myself, there must be some way to achieve this via VPN.
So what I'd like to do is this, set up a VPN server on the server, allow clients behind the router to connect to it. That seemed simple enough, except that all the guides I've seen assume you can allocate addresses on the server's LAN. Since my server's LAN is the public internet I can't really do that. Is there any way I can make up some 'imaginary' LAN that exists only in the mind of the server and put my VPN clients on that?
To clarify, if the server is 68.232.SSS.SSS and if the router is 68.232.RRR.RRR and if computers behind the router are 10.0.0.1-255 then can I make VPN clients use addresses like 192.168.0.VPN?
OOoOoOOOooOOo OoO Public OoOOo-----Server eth0 (Real) 68.232.SSS.SSS OoO Internet OoO eth1 (Virtual) 192.168.0.1 OoOoOOoOOoOOOo | \--Router eth0 (WAN) 68.232.RRR.RRR | eth1 (LAN) 10.0.0.1 | \-----Client eth1 (Virtual) 192.168.0.2 eth0 (Real) 10.0.0.2
-
Huckle over 12 yearsThat would work if I was using *nix based clients, but although the server is *nix based - the clients are of various OSes (Win, Mac, *nix)