Logo Peer-to-peer VPN

Tutorial: Dial-in

Scenario

Dial in scenario

Two single nodes should be connected via a secure VPN to a third node and its private network. The private network uses addresses in the range 192.168.1.0/24 and the subnet 192.168.254.0/24 is currently unused.

Note

To be able to set up the VPN, the gateway node needs to have a be reachable by an unchanging address of hostname. This is normally not the case with common DSL uplinks (they change addresses every day). Please see Dynamic DNS for a solution.

Setup

A new network config in /etc/vpncloud has to be created on each node. There is an example file in /etc/vpncloud/example.net.disabled that explains all the parameters.

$> sudo cp /etc/vpncloud/example.net.disabled /etc/vpncloud/mynet.net

Now that file has to edited to change a few values:

$> sudo nano /etc/vpncloud/mynet.net

The following values have to be modified:

Here are the full configuration files for the nodes:

Node1

peers:
  - gateway.example.com
crypto:
  password: "mysupersecretkey"
ip: 192.168.254.1
ifup: "ip route add 192.168.1.0/24 via 192.168.254.254 dev $IFNAME"

Node2

peers:
  - gateway.example.com
crypto:
  password: "mysupersecretkey"
ip: 192.168.254.2
ifup: "ip route add 192.168.1.0/24 via 192.168.254.254 dev $IFNAME"

Gateway

peers: []
crypto:
  password: "mysupersecretkey"
ip: 192.168.254.254
ifup: >-
  sysctl -w net.ipv4.ip_forward=1 &&
  iptables -t nat -A POSTROUTING -o $(ip route show default | awk '/default/ {print $5}') -j MASQUERADE

Setting up routing

With this configuration, all packets from the clients reach the private network via the gateway but all the nodes in the private network need to know that packets to the clients need to be sent via the gateway.

This can either be done by adding a route to each nodes in the network:

$> route add 192.168.254.0/24 via 192.168.1.20

Alternatively a single such route can be added to the router (e.g. Fritz!Box) in the private network.

After the config file has been set up correctly, VpnCloud needs to be started:

$> sudo service vpncloud@mynet start

If you want to, you can associate names with the nodes. Please note that this procedure has to be done on all nodes.

Testing the network

When everything has been setup properly, the connection can be checked using the ping command:

$node1> ping 192.168.254.254              #check connection to gateway
$node1> ping 192.168.1.20                 #check private network
$node1> ping 192.168.1.1                  #check connection to node on private network