obey-robots.txt
View Thread
Web Master Trouble » Linux Apache MySQL PHP optimalisation tips tricks » Linux tutorials, Tips & Tricks
 Print Thread
Tutorial ? OpenVPN for internal-ip only virtual machine hosts
NuclearFusion

Welcome to another tutorial! This time I will be showing you a neat trick to get OpenVPN working within a larger subnet used for an Ethernet bridge. Say what now? Let me explain.

I had the following idea in mind: get a dedicated server with a single IPv4. Make it a Xen host, create virtual servers with just an internal IP, and from there either proxy stuff to the outside world via dom0 or keep in private within a VPN in those cases I would just use it for testing. That last part turned out to be challenging initially, but had an interesting outcome.

I'll share my experiences with you here. I've tested this on an Ubuntu host (in my case I've used Ubuntu 15.04 with Xen 4.5), but it should work on other Debian-based systems as well. For VPN I've used a (modified) version of Nyr's awesome OpenVPN installer script.

I'm going to assume a host with virtualization working, so I'm starting at the ethernet bridge configuration here.

In /etc/network/interfaces, add the following code:

auto xen-intbr
iface xen-intbr inet static
pre-up brctl addbr xen-intbr
post-down brctl delbr xen-intbr
address 10.0.0.1
netmask 255.255.0.0
network 10.0.0.0
broadcast 10.0.255.255

This code creates an ethernet interface called 'xen-intbr'. The name is up to you, though I would use a descriptive name. The address range I've used here in 10.0.0.0/16, which is quite a large range, but this makes it easiest to work with. The following two lines:

pre-up brctl addbr xen-intbr
post-down brctl delbr xen-intbr

Actually make the bridge a bridge, by using brctl to make the interface a bridge, and removing it later.

This is the actual bridge you can use for your virtual machines. You can configure any IP address from the 10.0.0.0/16 range on them, except for 10.0.0.1 (which is the gateway address) and 10.0.255.255 (which is the broadcast address).

To get the bridge running without a restart, run:

sudo ifup xen-intbr

Now, that's that. Next step is to get OpenVPN installed. We're going to be using Nyr's installer for this, but a modified version.

First, download the script:

wget git.io/vpn -no-check-certificate -O openvpn-install.sh

Next, open the file and replace all occurrences of '10.8.0.0' with '10.0.255.0' and save the file. Now, run the file:

sudo bash openvpn-install.sh

This should ask you some questions. Answer them honestly, or karma will make sure this tutorial won't work.

Once that's been installed, open the /etc/openvpn/server.conf file and look for the following line:

dev tun

Change that to:

dev tap

This will make the VPN act like a true ethernet tunnel. Be sure to also reflect this change in the .openvpn file the installer spits out at the end of its run. Restart OpenVPN to activate this change:

sudo service openvpn restart

Following this, run this command:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Replace 'eth0r42; with the name of your primary network interface (or the one containing your actual external IPv4). This should ensure traffic over that interface will be able to reach other networks as well.

Now, if you're lucky, this should work. You may connect to the OpenVPN server and try to reach an existing (and powered on) virtual machine with an internal IP address from the OpenVPN client machine.

If you're unlucky (and I haven't been able to pin-point this difference in environments yet), you have to perform two more steps to get this working:

sudo brctl addif xen-intbr tap0

Replace 'tap0r42; with the name of your tap-device (use 'ifconfig | grep tap' to find yours). Next, make sure it's a promiscuous interface (meaning all traffic will go through the CPU):

sudo ifconfig tap0 0.0.0.0 promisc up

Again, replace 'tap0r42; with the name of your tap-device.

If you were unlucky, you should now be done as well!

Other than most tutorials, this one is just a trick I wanted to share with you as I wasn't able to find this documented on the internet myself. But consider the offering of dedicated servers in the EU are mostly limited to one IPv4 by default, the situation may come to you sooner than you might expect.

I hope you've enjoyed this tutorial! Next one is due in two weeks!


Warning about ParkingCrew.com! Case: ParkingCrew.com acquires NameDrive.com but earnings are not transferred despite assurances and promises. Inquiries about this are ignored! It's just a con compagny. Don't do business with them!
 
Jump to Forum
New Thread Post Reply
Use BBcode or HTML to refer to; 'Tutorial ? OpenVPN for internal-ip only virtual machine hosts'
BBcode:
HTML:
Simular threads
Subject Discussion Forum         Last Post
Tutorial ? The LowEndCluster ? Part 4 Linux tutorials, Tips & Tricks : 1 26-05-2015
Tutorial ? The LowEndCluster ? Part 3 Linux tutorials, Tips & Tricks : 1 24-05-2015
Tutorial ? The LowEndCluster ? Part 2 Linux tutorials, Tips & Tricks : 1 24-05-2015
Tutorial: Getting started with OpenVZ! Linux tutorials, Tips & Tricks : 1 04-11-2013
Getting started with OpenVPN (client) Linux tutorials, Tips & Tricks : 1 11-09-2013