Dengar's Blog Logo

Dengar's blog...
We will see what I post, probably will be some random tutorials

Thursday, 14 April 2011

Create a home VPN and allow computers to connect with each other

Like most organisations, my workplace has quite strict security policies. For some reason, I wasn't allowed and able to connect to the data centre through the Cisco VPN that had been set-up by our company. I had to had a static URL at home that needed to be allowed, but I wouldn't consider changing my provider purely for that benefit.

There are plenty of options to 'break' that security restriction, like having a Terminal Server within your corporate network that you could log onto. The slow and clunkiness of that solution turned me off. In addition, I would have to get helpdesk to install all sorts of programmes and, since I'm a Linux man, I would have to compromise on every which way.

The easiest solution, I thought, was, since I can't VPN onto the network from home, to VPN to my home network from work!

I already have a server for various tools that keeps on running most days and nights, so why not also use it as a VPN server.

Installing and configuring the necessary software is easy and takes just minutes.
First you will need to install the PPTP daemon:
$ sudo apt-get install pptpd
In Ubuntu, the configuration file for the pptp-daemon is: /etc/pptpd.conf and we will need to modify it so there is a separate IP defined for a) the server (which can be the one the server is getting from your router) and b) the client(s). If you have more than one client you will obviously have to make sure you have a range of IPs available for the clients.

In my case, since the networks should be quite separate at home and through VPN, I decided to use a different IP range. My router assigns IPs in the range 192.168.1.XXX, so I will use the range 192.168.0.XXX through my VPN server. You will need to update the last lines of your pptpd.conf like this:

localip 192.168.0.1
remoteip 192.168.0.2-10
This assigns the IP ~.1 to the VPN server (a separate interface) and allows the numbers ~.2 to ~.10 to be assigned to clients.

Next step: create VPN users and their passwords. This is stored in the /etc/ppp/chap-secrets file. Here is an example:

# Secrets for authentication using CHAP
# client server secret IP addresses
CLIENTLOGIN pptpd CLIENTPASSWORD *
You could obviously restrict the IP addresses the client can connect, but a very long password should also be quite secure.
In theory that's all you need to connect, but you might want to allow clients to use the server's internet connection and allow it to connect to other IPs within your local network. For this we will need to use NAT and IP forwarding. You can enable this via adding this line to your /etc/rc.local (before exit):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

and in /etc/sysctl.conf uncomment the line:
net.ipv4.ip_forward=1
Now you can restart the daemon:
$ sudo /etc/init.d/pptpd restart
If your computer doesn't use the public IP address, eg. you are behind a modem - router or a firewall, you will need to forward the port 1723 to your server. And to avoid trouble with dynamic IP addresses you get from your ISP, you should use a dynamic DNS service. This will update your current IP to the DNS lookup tables and you get an easy URL name to remember. I think I use DynDNS.org.

Finally, you are on the client, but you can't see any other computers within the VPN or the local network of the server. This is because the routing is not set correctly on your client computer. You will want to "search" this VPN IP range through the VPN server, not your normal internet connection, so you can add a manual route like this:
route add -net 192.168.0.0 netmask 255.255.255.0 dev ppp0
Tadah! You can find other computers in the VPN!

For more advanced routing, eg: make your client's local connections available to hosts local connections, I advise to take a look at this page full of knowledge. The beauty is that once the VPN connection is established, you can bridge pretty much all connections through using routing and iptables.


No comments: