[Help] Use router as client to share home network

[shawly]

Hi,

I want to install an OpenVPN server on my vserver and use my router as client to connect my home network to the VPN (but not route my traffic through it), then log in with my laptop at work as client, route my traffic through the server (to bypass firewall restrictions, since it sometimes automatically blocks work related websites for being malicous or gaming related or whatever) and have access to my home network.
I currently use the OpenVPN server on my router for this, but since my upload at home is so slow, it's a little annoying to surf with it, therefore I wanted to use my vserver as OVPN server.

I drew a picture with paint to make it a little bit easier to understand:


I know this is possible but I lack the knowledge of routing.. so I wanted to know if someone could show me, how to accomplish this setup.

[maikcat]

yes you can do this scenario,

you will need to use ccd files so that you can map your homes router cert with its lan,
please post your configs and we will help you out.

create 2 client certs , one server cert , then setup your vps as server and connect your clients,
after that you will need a couple of additions on server side in order to configure routing.

also post your subnets used.

Michael.

[shawly]

Thanks for your answer!

This is my server config: http://pastebin.com/raw.php?i=cCGVx8L0
I'm pretty sure I shouldn't use push "redirect-gateway" since my router should not route it's traffic through the server, right?
I pretty much copied the server config, so I'm not really sure if it is safe to use..

And this is the client.conf my router generates: http://pastebin.com/raw.php?i=G280BcfZ

And this is the one I use for my laptop at work: http://pastebin.com/raw.php?i=q8kBUbu7
This is the only one I wrote myself.

The subnet of my home network is 192.168.0.0/24
The one I wanted to use for my VPN is 10.10.10.0/24 (I don't really need that many IP's but it doesn't really matter anyway)

I haven't defined any routes on my server yet nor did I do anything to the iptables.
But I have to block internal packets on the external interface with this:

Code: Select all

iptables -t filter -I FORWARD -o eth0 -m conntrack --ctstate INVALID -j DROP

Or else my provider will close my server which happened once already because of using OpenVPN. (Read here for more info)

[maikcat]

Code: Select all

user nobody
group nogroup
dev tap
local xx.xx.xx.xx
port 443
proto tcp
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.66.66.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
client-to-client
keepalive 10 120
comp-lzo
persist-tun
persist-key
verb 3
log-append /var/log/openvpn/openvpn.log
status /var/log/openvpn/status.log
# pam-auth
plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
client-cert-not-required
username-as-common-name

client config

Code: Select all

client
proto tcp
remote xx.xx.xx.xx 443
resolv-retry infinite
nobind
dev tap0
ca /etc/storage/openvpn/client/ca.crt
auth SHA1
cipher AES-128-CBC
comp-lzo yes
auth-user-pass secret
persist-key
script-security 2
writepid /var/run/openvpn_cli.pid
up ovpnc.script
down ovpnc.script

### User params:
nice 3
verb 3

client

Code: Select all

client
dev tap
proto tcp
remote xx.xx.xx.xx 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
verb 3
comp-lzo

[shawly]

But, you didn't change anything, these are the configs I posted... What are you trying to tell me?

[maikcat]

some basic lines to follow,

use certs for start avoid user based auth,
use the SAME encryption algorithm on both server/client
use the SAME lzo settings on both server/client
use tun for routing

with the above in mind you should create a cert named home
for your home network, the other name it whatever you want


what configs i suggest you should use..

server config

Code: Select all

user nobody
group nogroup
dev tun
local xx.xx.xx.xx
port 443
proto tcp
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.66.66.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-tun
persist-key
verb 3
log-append /var/log/openvpn/openvpn.log
status /var/log/openvpn/status.log
cipher AES-256-CBC
# pam-auth
route 192.168.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"

create a ccd file named home with the following contents

Code: Select all

iroute 192.168.0.0 255.255.255.0
ifconfig-push 10.66.66.22 10.66.66.21"

client config

Code: Select all

client
dev tun
proto tcp-client
remote xx.xx.xx.xx 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert home.crt
key home.key
verb 3
comp-lzo
cipher AES-256-cbc

connect your client with the home cert it should obtain 10.66.66.22 ip,
connect the other client and try to ping both 10.66.66.22 ip and its lan on (192.168.0.x)

Michael.

[maikcat]

But, you didn't change anything, these are the configs I posted... What are you trying to tell me?

you were reading the post BEFORE i managed to write my answer...

be patient m8

Michael.

[shawly]

But, you didn't change anything, these are the configs I posted... What are you trying to tell me?

you were reading the post BEFORE i managed to write my answer...

be patient m8

Michael.

Haha sorry, I got confused when you posted my configs.
Thanks for your help, I will try that as soon as I get home!

What is a ccd file?

[maikcat]

ccd files are client configuration files and used to push settings to clients

Michael.

ps: did you edited your post?

[shawly]

ccd files are client configuration files and used to push settings to clients

Michael.

ps: did you edited your post?

Yeah I figured it out and quickly deleted the question, didn't think you'd reply that fast.

Edit: I reedited my post again and inserted the question again.

[shawly]

Alright as far as it seems it is working, I just can't test right now if it's working at work, since I'm on vacation right now..

But how can I resolve hostnames of my home network?
Should I add push "dhcp-option DNS 192.168.0.1" to my server.conf or my laptop ccd? Or should I use push "dhcp-option DNS 10.8.0.22"?
So I can reach for example server.ho.me which is my home server at 192.168.0.4 without manually typing the IP.

I tried adding push "redirect-gateway" to my laptop ccd, but it still doesn't route all the traffic from my laptop through my server..

[maikcat]

But how can I resolve hostnames of my home network?

you actually have 3 choices:

1) you setup a static hosts file in your pc

2) you setup a DNS server service in your home and query it

3) you setup a WINS service in your home and use it.

ps: remember that you must enable ip forwarding in your client at home too.

Michael.

[shawly]

2) you setup a DNS server service in your home and query it

3) you setup a WINS service in your home and use it.

ps: remember that you must enable ip forwarding in your client at home too.

My router already has a DNS server on it, but when I tried to use the router as DNS every request timed out, so I'm not really sure..

IP Forwarding?

[maikcat]

IP Forwarding?

you are joking right...?

My router already has a DNS server on it, but when I tried to use the router as DNS every request timed out, so I'm not really sure..

your router where? at your home?

Michael.

[shawly]

IP Forwarding?

you are joking right...?

Yeah I was joking

So I have this setup now since two weeks and it works almost perfect, just like I wanted, thank you!

The only problem I couldn't get fixed is the DNS problem.

My router at home acts as a DNS server. To access all the devices within my home network, I push my routers IP as DNS to my laptop over the ccd file.
It looks like this:

Code: Select all

push "redirect-gateway"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DNS 10.8.0.5" <- is pretty muich unnessecary, I just wanted to try if this would work any better which is not the case.
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

It works, but I manually have to reset the DNS client on my laptop every time I connect with my laptop to the OVPN server, else all requests to my home network time out and I don't really get why.
Back when my router hosted the vpn server, I had no problems resolving the hostnames..

Should I install dnsmasq on my server and let the server do all the dns stuff and forward requests to *.ho.me (which is my lan domain) to my home network?
Or is there a solution to get it working with the current setup?

[maikcat]

can you try adding

Code: Select all

register-dns

in your client config & reconnect?

Michael.

[shawly]

I've added it to my laptops client conf and reconnected and it seems to be working, but I can't tell for sure, I have to test it out this week, thank you!

[maikcat]

When you complete your tests simply update this thread so i can close it..

Michael.

[shawly]

Alright, I'll do that, thanks!

[shawly]

Ok register-dns didn't fix my problem, I was connected to my vpn the whole time and now all of a sudden I can't resolve the hostnames again.
Connecting over the IPs still works without a problem, after reconnecting my laptop it works again, but why do I lose the ability to resolve hostnames in the first place?

And now I can't resolve external hostnames, if I try to open google.com I run into a network timeout, but my home network is reachable.