Question

3

Set up a VPN, route samba over it

rated 0 times [ 3] [ 0] / answers: 1 / hits: 9139 / 2 Years ago, wed, april 13, 2022, 7:22:59

I get 3 IP addresses from my ISP, so after my modem I have a switch with three things. Two are servers, one is a router. All my personal computers are behind the router. My old server used to have two ethernet ports, so I would put one on the switch and one on the router so that I could keep server traffic off the router and still be able to have samba shares for media.

My new lower-power server only has one LAN. I will eventually get a USB ethernet plug for it, but until then I'd like to still have my samba shares. I thought to myself, there must be some way to achieve this via VPN.

So what I'd like to do is this, set up a VPN server on the server, allow clients behind the router to connect to it. That seemed simple enough, except that all the guides I've seen assume you can allocate addresses on the server's LAN. Since my server's LAN is the public internet I can't really do that. Is there any way I can make up some 'imaginary' LAN that exists only in the mind of the server and put my VPN clients on that?

To clarify, if the server is 68.232.SSS.SSS and if the router is 68.232.RRR.RRR and if computers behind the router are 10.0.0.1-255 then can I make VPN clients use addresses like 192.168.0.VPN?

  OOoOoOOOooOOo

OoO  Public  OoOOo-----Server eth0 (Real)    68.232.SSS.SSS

OoO  Internet OoO             eth1 (Virtual) 192.168.0.1

 OoOoOOoOOoOOOo

     |

     --Router eth0 (WAN) 68.232.RRR.RRR

         |     eth1 (LAN) 10.0.0.1

         |

         -----Client eth1 (Virtual) 192.168.0.2  

                      eth0 (Real)    10.0.0.2

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

deringach

Add To Favorites

Follow

Total Points: 412

Total Questions: 107

Total Answers: 101

Location: Palestine

Member since Tue, Jul 20, 2021

3 Years ago

answered 2 Years ago rtbrbab · Accepted Answer

install openvpn on your server and your client

generate the certificates as in the official HOWTO:

root@server:/etc/openvpn/easy-rsa# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa

root@server:/etc/openvpn/easy-rsa# cd /etc/openvpn/easy-rsa

Edit /etc/openvpn/easy-rsa/vars and fill in the appropiate values

root@server:/etc/openvpn/easy-rsa# . ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

root@server:/etc/openvpn/easy-rsa# ./clean-all

root@server:/etc/openvpn/easy-rsa# ./build-ca

Generating a 1024 bit RSA private key

......................++++++

........++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [HK]:

State or Province Name (full name) [New Territories]:

Locality Name (eg, city) [Tuen Mun]:

Organization Name (eg, company) [Home]:

Organizational Unit Name (eg, section) [changeme]:

Common Name (eg, your name or your server's hostname) [OpenVPN-CA]:

Name [OpenVPN-CA]:

Email Address [[email protected]]:

root@server:/etc/openvpn/easy-rsa# ./build-key-server server

Generating a 1024 bit RSA private key

...............++++++

..........++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [HK]:

State or Province Name (full name) [New Territories]:

Locality Name (eg, city) [Tuen Mun]:

Organization Name (eg, company) [Home]:

Organizational Unit Name (eg, section) [changeme]:

Common Name (eg, your name or your server's hostname) [server]:

Name [OpenVPN-CA]:

Email Address [[email protected]]:



Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'HK'

stateOrProvinceName   :PRINTABLE:'New Territories'

localityName          :PRINTABLE:'Tuen Mun'

organizationName      :PRINTABLE:'Home'

organizationalUnitName:PRINTABLE:'changeme'

commonName            :PRINTABLE:'server'

name                  :PRINTABLE:'OpenVPN-CA'

emailAddress          :IA5STRING:'[email protected]'

Certificate is to be certified until Mar 18 13:18:09 2022 GMT (3650 days)

Sign the certificate? [y/n]:y





1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

root@server:/etc/openvpn/easy-rsa# ./build-key client

Generating a 1024 bit RSA private key

..........++++++

...................................................++++++

writing new private key to 'client.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [HK]:

State or Province Name (full name) [New Territories]:

Locality Name (eg, city) [Tuen Mun]:

Organization Name (eg, company) [Home]:

Organizational Unit Name (eg, section) [changeme]:

Common Name (eg, your name or your server's hostname) [client]:

Name [OpenVPN-CA]:

Email Address [[email protected]]:



Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'HK'

stateOrProvinceName   :PRINTABLE:'New Territories'

localityName          :PRINTABLE:'Tuen Mun'

organizationName      :PRINTABLE:'Home'

organizationalUnitName:PRINTABLE:'changeme'

commonName            :PRINTABLE:'client'

name                  :PRINTABLE:'OpenVPN-CA'

emailAddress          :IA5STRING:'[email protected]'

Certificate is to be certified until Mar 18 13:20:00 2022 GMT (3650 days)

Sign the certificate? [y/n]:y





1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

root@server:/etc/openvpn/easy-rsa# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

............................................................................+..................+...........+...........................+..............+..............................................................+......................................................................................................+......................................................................................+..............................................................................+..................+.................+..................................................................+.........................................+...........+..........................................................................................+..............................................+....................................+...................+....+..+................+.+.........+..............................................................+....................................................................................................................+...........+.....................................................................................................................................+.........................................................+...........................................................+.......................................................................................................................................................................................................................................+..............+..............................................................................................................................................+............................+..........................................+....................................................................................................................................++*++*++*

copy the needed files from /etc/openvpn/easy-rsa/keys on the server to /etc/openvpn

for server: ca.crt dh1024.pem server.crt server.key

for client: ca.crt client.crt client.key

copy the appropriate sample configuration files from /usr/share/doc/openvpn/examples/sample-config-files/ to /etc/openvpn and decompress them

server: server.conf.gz

client: client.conf

The server configuration file should be workable by default

edit the "remote" entry on the client /etc/openvpn/client.conf

Input the server name / IP-address. No other changes needs to be done

Open up UDP 1194 on the server's firewall

The service is ready to start now, the server is at 10.8.0.1

I assume you only need to access the server, additional work need to be done if you want to access other internal networks.

configure samba to listen on 10.8.0.0/24

Everything should have been done, leave comment here if something goes wrong.