Welcome to another tutorial! This time I will be showing you a neat trick to get OpenVPN working within a larger subnet used for an Ethernet bridge. Say what now? Let me explain.
I had the following idea in mind: get a dedicated server with a single IPv4. Make it a Xen host, create virtual servers with just an internal IP, and from there either proxy stuff to the outside world via dom0 or keep in private within a VPN in those cases I would just use it for testing. That last part turned out to be challenging initially, but had an interesting outcome.
I’ll share my experiences with you here. I’ve tested this on an Ubuntu host (in my case I’ve used Ubuntu 15.04 with Xen 4.5), but it should work on other Debian-based systems as well. For VPN I’ve used a (modified) version of Nyr’s awesome OpenVPN installer script.
I’m going to assume a host with virtualization working, so I’m starting at the ethernet bridge configuration here.
In /etc/network/interfaces, add the following code:
auto xen-intbr
iface xen-intbr inet static
pre-up brctl addbr xen-intbr
post-down brctl delbr xen-intbr
address 10.0.0.1
netmask 255.255.0.0
network 10.0.0.0
broadcast 10.0.255.255
This code creates an ethernet interface called ‘xen-intbr’. The name is up to you, though I would use a descriptive name. The address range I’ve used here in 10.0.0.0/16, which is quite a large range, but this makes it easiest to work with. The following two lines:
pre-up brctl addbr xen-intbr
post-down brctl delbr xen-intbr
Actually make the bridge a bridge, by using brctl to make the interface a bridge, and removing it later.
This is the actual bridge you can use for your virtual machines. You can configure any IP address from the 10.0.0.0/16 range on them, except for 10.0.0.1 (which is the gateway address) and 10.0.255.255 (which is the broadcast address).
To get the bridge running without a restart, run:
sudo ifup xen-intbr
Now, that’s that. Next step is to get OpenVPN installed. We’re going to be using Nyr’s installer for this, but a modified version.
First, download the script:
wget git.io/vpn –no-check-certificate -O openvpn-install.sh
Next, open the file and replace all occurrences of ‘10.8.0.0’ with ‘10.0.255.0’ and save the file. Now, run the file:
sudo bash openvpn-install.sh
This should ask you some questions. Answer them honestly, or karma will make sure this tutorial won’t work.
Once that’s been installed, open the /etc/openvpn/server.conf file and look for the following line:
dev tun
Change that to:
dev tap
This will make the VPN act like a true ethernet tunnel. Be sure to also reflect this change in the .openvpn file the installer spits out at the end of its run. Restart OpenVPN to activate this change:
sudo service openvpn restart
Following this, run this command:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Replace ‘eth0’ with the name of your primary network interface (or the one containing your actual external IPv4). This should ensure traffic over that interface will be able to reach other networks as well.
Now, if you’re lucky, this should work. You may connect to the OpenVPN server and try to reach an existing (and powered on) virtual machine with an internal IP address from the OpenVPN client machine.
If you’re unlucky (and I haven’t been able to pin-point this difference in environments yet), you have to perform two more steps to get this working:
sudo brctl addif xen-intbr tap0
Replace ‘tap0’ with the name of your tap-device (use ‘ifconfig | grep tap’ to find yours). Next, make sure it’s a promiscuous interface (meaning all traffic will go through the CPU):
sudo ifconfig tap0 0.0.0.0 promisc up
Again, replace ‘tap0’ with the name of your tap-device.
If you were unlucky, you should now be done as well!
Other than most tutorials, this one is just a trick I wanted to share with you as I wasn’t able to find this documented on the internet myself. But consider the offering of dedicated servers in the EU are mostly limited to one IPv4 by default, the situation may come to you sooner than you might expect.
I hope you’ve enjoyed this tutorial! Next one is due in two weeks!
Related Posts:
- How to Rapidly Install Java, OpenJDK & Oracle JDK on your VPS - December 14, 2015
- It’s been a great ride - December 14, 2015
- Cheap Windows VPS – $21/quarter 1GB KVM-based Windows VPS in 11 worldwide locations - November 30, 2015
Is it possible to also have your own personal IP / Firewall and monitor the packets that are going through your network? For example, watching the packets per IP that go through the port 22? (SSH) , furthermore, is there a way to ban IPs from the whole vlan effectively?
Ideally, I would want to extend the vlan setup to have some anti-brute force / anti-dos setup.
Thank you for mentioning my work :)
Just read through the tutorial and will try it later. Could you go into a bit more detail about what you mean by this though?
“Be sure to also reflect this change in the .openvpn file the installer spits out at the end of its run”? Thanks.
Still using OpenVPN (and not http://www.tinc-vpn.org/ ), still using IPv4 (and not IPv6).
This tutorial already feels a few years old despite it just got published…
lowendbox top providers 2015 Q1?
Thank you for sharing this tutorial
Is this tutorial still valid?