Tutorials and How-tos/Connect Two Bubba Servers via VPN

From BubbaWiki
< Tutorials and How-tos
Revision as of 14:13, 11 January 2011 by Rasmus (talk | contribs) (Minor typo in first line, changed second "home" to "work")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


OpenVPN

If you have two Bubba servers (for example, one at home and another one at work) you can connect them together via a virtual private network. For this to work, you need both a home, and a work, two Bubba servers, an Internet connection available at both work and home, and at least one of those connections must be externally accessible; for most people, this is usually home, as at work, the corporate firewall might not happily comply. So with the basic assumption that home is our central location, we will host the "server" there. First we SSH into the two bubbas and issues the command as root:

apt-get install openvpn

at your home bubba, copy the folder /usr/share/doc/openvpn/examples/easy-rsa/ to /root; Also copy /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz to /etc/openvpn and gunzip it At the office bubba, copy /usr/share/doc/openvpn/examples/sample-config-files/client.conf to /etc/openvpn. At home bubba, cd to /root/easy-rsa Edit the file vars, and enter the required values at the bottom, KEY_COUNTRY is the two letter country code. Now issue following command:

. ./vars
./clean-all
./build-ca

The field Common Name during build-ca is required to be filled. Now issue:

./build-key-server server

As above, fill in a common name (for example "server"), and choose yes on all questions. And again:

./build-key client

And again, fill in a common name (for example "client"), and choose yes on everything. We continue now by creating Diffie Hellman parameters:

./build-dh

This might take a while. Now copy the ca.crt, server.crt, server.key and the dh1024.pem file from the keys dir to /etc/openvpn; Copy magically ca.crt, client.crt, client.key to the office bubba in /etc/openvpn. now enter /etc/network and edit the firewall.conf, add following:


-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT

And on the client side add


-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT

on both issue:


iptables-restore < firewall.conf

Now this is done, we need to make an decision; we must have unique networks everywhere; and as the BubbaTwo defaults with 192.168.10.0, we need first to change that one one machine, for example to change it to 192.168.37.0 on the office machine, also remember that the networks must be unique in relation to adjacent networks on the other networks. On the server, edit /etc/openvpn/server.conf at the line starting with "server", set e unique network on both places. In the client.conf file at the office, set the remote to your home ip/dns. now on both, issue

/etc/init.d/openvpn restart

Now, at your office, by pinging 10.8.0.1, your home bubba should answer. ' That is basically it, more information can be found in http://openvpn.net/index.php/documentation/howto.html

PPTP

this howto is preliminary

PPTP is a protocol that ise used by Microsoft for vpn solutions; it can be used to connect to a vpn on the bubba. First install pptpd, by issuing following:

apt-get install pptpd

now edit /etc/pptpd.conf, enable following:

bcrelay eth1
localip 192.168.10.220
remoteip 192.168.10.221-240

edit /etc/ppp/pptpd-options:

name bubba
ms-dns 192.168.10.1
ms-wins 192.168.10.1
proxyarp

add to /etc/ppp/chap-secrets credentials in format

<username>  bubba <password>  *

update /etc/dnsmasq.conf, remove the interface row and add

except-interface=eth0

or add

ppp0,ppp1,ppp2,...,pppN 

to the interface line

edit /etc/network/firewall, under OUTPUT, add

-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -i ppp+ -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT 
-A FORWARD -i ppp+ -j ACCEPT
-A OUTPUT -o eth0 -p gre -j ACCEPT

run

iptables-restore /etc/network/firewall
/etc/init.d/pptpd restart
/etc/init.d/dnsmasq restart