LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Tutorial – OpenVPN for internal-ip only virtual machine hosts

Tags: , Date/Time: June 12, 2015 @ 1:00 pm, by Maarten Kossen

lowendtutorial

Welcome to another tutorial! This time I will be showing you a neat trick to get OpenVPN working within a larger subnet used for an Ethernet bridge. Say what now? Let me explain.

I had the following idea in mind: get a dedicated server with a single IPv4. Make it a Xen host, create virtual servers with just an internal IP, and from there either proxy stuff to the outside world via dom0 or keep in private within a VPN in those cases I would just use it for testing. That last part turned out to be challenging initially, but had an interesting outcome.

I’ll share my experiences with you here. I’ve tested this on an Ubuntu host (in my case I’ve used Ubuntu 15.04 with Xen 4.5), but it should work on other Debian-based systems as well. For VPN I’ve used a (modified) version of Nyr’s awesome OpenVPN installer script.

I’m going to assume a host with virtualization working, so I’m starting at the ethernet bridge configuration here.

In /etc/network/interfaces, add the following code:

auto xen-intbr
iface xen-intbr inet static
pre-up brctl addbr xen-intbr
post-down brctl delbr xen-intbr
address 10.0.0.1
netmask 255.255.0.0
network 10.0.0.0
broadcast 10.0.255.255

This code creates an ethernet interface called ‘xen-intbr’. The name is up to you, though I would use a descriptive name. The address range I’ve used here in 10.0.0.0/16, which is quite a large range, but this makes it easiest to work with. The following two lines:

pre-up brctl addbr xen-intbr
post-down brctl delbr xen-intbr

Actually make the bridge a bridge, by using brctl to make the interface a bridge, and removing it later.

This is the actual bridge you can use for your virtual machines. You can configure any IP address from the 10.0.0.0/16 range on them, except for 10.0.0.1 (which is the gateway address) and 10.0.255.255 (which is the broadcast address).

To get the bridge running without a restart, run:

sudo ifup xen-intbr

Now, that’s that. Next step is to get OpenVPN installed. We’re going to be using Nyr’s installer for this, but a modified version.

First, download the script:

wget git.io/vpn –no-check-certificate -O openvpn-install.sh

Next, open the file and replace all occurrences of ‘10.8.0.0’ with ‘10.0.255.0’ and save the file. Now, run the file:

sudo bash openvpn-install.sh

This should ask you some questions. Answer them honestly, or karma will make sure this tutorial won’t work.

Once that’s been installed, open the /etc/openvpn/server.conf file and look for the following line:

dev tun

Change that to:

dev tap

This will make the VPN act like a true ethernet tunnel. Be sure to also reflect this change in the .openvpn file the installer spits out at the end of its run. Restart OpenVPN to activate this change:

sudo service openvpn restart

Following this, run this command:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Replace ‘eth0’ with the name of your primary network interface (or the one containing your actual external IPv4). This should ensure traffic over that interface will be able to reach other networks as well.

Now, if you’re lucky, this should work. You may connect to the OpenVPN server and try to reach an existing (and powered on) virtual machine with an internal IP address from the OpenVPN client machine.

If you’re unlucky (and I haven’t been able to pin-point this difference in environments yet), you have to perform two more steps to get this working:

sudo brctl addif xen-intbr tap0

Replace ‘tap0’ with the name of your tap-device (use ‘ifconfig | grep tap’ to find yours). Next, make sure it’s a promiscuous interface (meaning all traffic will go through the CPU):

sudo ifconfig tap0 0.0.0.0 promisc up

Again, replace ‘tap0’ with the name of your tap-device.

If you were unlucky, you should now be done as well!

Other than most tutorials, this one is just a trick I wanted to share with you as I wasn’t able to find this documented on the internet myself. But consider the offering of dedicated servers in the EU are mostly limited to one IPv4 by default, the situation may come to you sooner than you might expect.

I hope you’ve enjoyed this tutorial! Next one is due in two weeks!

Maarten Kossen was the administrator of LowEndBox from 2013 to 2015, and brought many ideas and improvements to the website during his leadership. Today he is member of our community and LowEndTalk.

7 Comments

  1. Is it possible to also have your own personal IP / Firewall and monitor the packets that are going through your network? For example, watching the packets per IP that go through the port 22? (SSH) , furthermore, is there a way to ban IPs from the whole vlan effectively?

    Ideally, I would want to extend the vlan setup to have some anti-brute force / anti-dos setup.

    June 13, 2015 @ 6:03 pm | Reply
  2. Thank you for mentioning my work :)

    June 13, 2015 @ 9:20 pm | Reply
  3. Chris:

    Just read through the tutorial and will try it later. Could you go into a bit more detail about what you mean by this though?

    “Be sure to also reflect this change in the .openvpn file the installer spits out at the end of its run”? Thanks.

    June 21, 2015 @ 10:53 am | Reply
  4. rm:

    Still using OpenVPN (and not http://www.tinc-vpn.org/ ), still using IPv4 (and not IPv6).
    This tutorial already feels a few years old despite it just got published…

    June 25, 2015 @ 10:04 am | Reply
  5. ls:

    lowendbox top providers 2015 Q1?

    June 28, 2015 @ 7:44 pm | Reply
  6. Thank you for sharing this tutorial

    June 1, 2020 @ 6:34 am | Reply
  7. Is this tutorial still valid?

    June 1, 2020 @ 7:00 am | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *