Hello All,
With all the fuzz and issues with security and privacy these days I decided to give it a go with a VPN, mostly for the fun and challenge.
I am partially done with a scenario that sounds very typical these days, although it is not necessary plain vanilla.
The overall idea is to have a private VPN using a cloud server. Implies:
What I have done so far:
[/FONT]
Some configuration:
[FONT=Courier New]
[/FONT]
[FONT=Courier New]/etc/rc.conf[/FONT]
[FONT=Courier New]
[/FONT]
[FONT=Courier New] [/FONT]
PS: I am okay with some expert taking the idea to publish an article, make a video or present in a BSD conference, as long as we all get a working, easy to use model.
Thanks and Regards
With all the fuzz and issues with security and privacy these days I decided to give it a go with a VPN, mostly for the fun and challenge.
I am partially done with a scenario that sounds very typical these days, although it is not necessary plain vanilla.
The overall idea is to have a private VPN using a cloud server. Implies:
- Not using any servers at HOME (except services for the home LAN, provided by DD-WRT). The Router is, for all intents and purposes, only a client for the remote VPN server.
- The Virtual Private Server (VPS) runs SSHd for administration and OpenVPN server to clients (would accept road runner mobile as well).
- NOTE: The VPS offers only ONE IPv4 interface. Communication from HOME to VPS is over the Internet. No second interface or backdoor.
What I have done so far:
- Installed FreeBSD 11.1-RELEASE-p10 on the VPS
- Runs SSHd for remote administration
- Runs NTPd for time sync
- (To Do) DNS server (Unbound/BIND/DNSMasq)
- Installed OpenVPN on the VPS
- Runs as OpenVPN server
- Enabled IPFW + in-kernel NAT on the VPS
- IPFW is wide open (here is my problem, please see below)
- NAT is only replacing the tunnel 10.8.0.0/24 to/from Internet
- Using DD-WRT on a Netgear R7000 at Hom
- Runs as OpenVPN client
- Provides the usual stuff for Home (DHCPd, DNSMasq, Wireless and others)
- As hinted above the ipfw is wide open.
- I have tried some suggested scripts from the documentation, articles and forums.
- I used syslogd (net.inet.ip.fw.verbose*) to monitor the packet flow, but I am failing to grasp how the packets are navigating inside the kernel between ipfw/nat, to see the ipfw script as a programming logic.
- I also tried to consider the tunnel (tun0) as a secondary interface, but there is always something missing, given the actual packets are flowing via the physical interface.
- I created three FreeBSD VMs with VMWare, but I could not quite get a perfect scenario to clone the existing configuration.
- I tried tcpdump/tshark/ntop in the "Lab", but it was not conclusive, as it does not match the real configuration.
- Documentation is scarce and kind of outdated;
- Surprisingly enough I could not find a single example using this architecture;
- The focus of articles/videos is usually:
- Installing FreeBSD OR Configuring Services OR OpenVPN OR bare minimum IPFW/PF
- There is not an "AND" related article/video
- PF examples are OpenBSD related or specific;
- Not clear how updated/outdated PF is on FreeBSD;
- Linux examples with IPTables are of no help;
- NAT for the VPN tunnelled IPs
- Stateful
- There are requests from the LAN (most traffic)
- OpenVPN to the VPS
- SSH to the VPS
- All the internet use to the Internet (i.e. DNS, Mail, Web, NTP)
- There are requests from the VPS itself
- Reply to OpenVPN and SSH
- NTP / DNS to the Internet
- Again, just ONE valid IP address
- The [FONT=Courier New]tun0[/FONT] interface
Code:
+----------+ +-------+ +--------+ +----+
| Computer | | Phone | | Tablet | | Tv |
+-----+----+ +---+---+ +----+---+ +--+-+
| | | |
+----------+-----+----+--------+
|
+----@----+
| Router | @ 192.168.1.0/24 HOME ^
- - - - - - - - - -| R7000 |- - - - - - - - - - - - - - - - - - -
+-(ADSL PPPoE)->+ -dd-wrt | o 10.8.0.2 (VPN tunnel) INTERNET v
| +---o-*---+ * 200.1.1.100 (Valid IP)
+-+---+ | |
| ISP | | |
+-----+ | |
- - - - - - - - - - - -|-|- - - - - - - - - - - - - - - - - - - - -
| | NOTE: VPS has only ONE interface
(VPN tunnel) 10.8.0.1 o | +----------+
(Valid IP) 250.1.1.50 * | | |
+------------------o-*-+ +-+--------+
| Cloud VPS | | Internet |
| FreeBSD 11.1-REL-p10 | +----------+
| -SSHd / NTPd |
| -OpenVPN Server |
| -IPFW + NAT (kernel) |
+----------------------+
Some configuration:
[FONT=Courier New]
Code:
net.inet.ip.forwarding: 1
# some articles say to set one_pass to 0 to allow NAT to reinject the packet, but it is working nevertheless.
net.inet.ip.fw.one_pass: 1
[FONT=Courier New]/etc/rc.conf[/FONT]
[FONT=Courier New]
Code:
# . . .
gateway_enable="YES"
#
firewall_enable="YES"
firewall_type="open"
firewall_nat_enable="YES"
firewall_nat_interface="vtnet0"
#
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_dir="/usr/local/etc/openvpn"
[FONT=Courier New] [/FONT]
PS: I am okay with some expert taking the idea to publish an article, make a video or present in a BSD conference, as long as we all get a working, easy to use model.
Thanks and Regards