Difference between revisions of "Configure VPN Gateway"
m |
|||
(10 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | When I moved my edge router onto commercial hardware, replacing a custom-configured Linux box, I lost the ability to connect my whole network to the intranet through a VPN. Here's how I restored that connectivity. | + | When I moved my edge router onto commercial hardware, replacing a custom-configured Linux box, I lost the ability to connect my whole network to the intranet through a VPN tunnel. Here's how I restored that connectivity. |
==Install VPN software on a "gateway" system on my network== | ==Install VPN software on a "gateway" system on my network== | ||
Line 6: | Line 6: | ||
===Create a systemctl script to start and stop the VPN connection=== | ===Create a systemctl script to start and stop the VPN connection=== | ||
− | I created the /usr/local/bin/ibm-cisco-vpn script on the gateway machine to control openconnect and /usr/lib/systemd/system/ibm-cisco-vpn.service to define it to systemctl. | + | I created the /usr/local/bin/ibm-cisco-vpn script on the gateway machine to control openconnect and /usr/lib/systemd/system/ibm-cisco-vpn.service to define it to systemctl. The ibm-cisco-script also handles the iptables-based configuration setup for NAT routing through the VPN tunnel. |
===Modified the nameserver configuration on the gateway system=== | ===Modified the nameserver configuration on the gateway system=== | ||
Line 14: | Line 14: | ||
I modified two variables in /etc/vpnc/ibm-cisco-vpn-script - MODIFYRESOLVCONF and RESTORERESOLVCONF at line 97 of the script. MODIFYRESOLVSCRIPT is now calling a function that logs the IP addresses of the nameservers that were recommended by the VPN server so that these can be copied over into the nameserver configuration as forwarders. | I modified two variables in /etc/vpnc/ibm-cisco-vpn-script - MODIFYRESOLVCONF and RESTORERESOLVCONF at line 97 of the script. MODIFYRESOLVSCRIPT is now calling a function that logs the IP addresses of the nameservers that were recommended by the VPN server so that these can be copied over into the nameserver configuration as forwarders. | ||
− | ==Configure static routes on my default router that direct | + | ==Configure static routes on my default router that direct intranet traffic to the VPN gateway== |
− | I use a Belkin/Linksys LRT214 router | + | I use a Belkin/Linksys LRT214 router as the default router for my network and as my gateway to the internet. I want it to be able to route traffic that's meant for the intranet over to the intranet gateway machine. That way I don't have to set up routes on every machine in the network, they can just keep on using the same default router they always have and it will know how to route their traffic. |
+ | |||
+ | This means that I need to set a bunch of static routes on the LRT214, the same bunch of routes that openclient sets up on the gateway machine when it establishes the VPN connection. | ||
+ | [[Category: Networking]] | ||
+ | The only facility for setting static routes on the LRT214 is to use a forms-based UI to enter them one at a time. Ouch! So I hacked together the setVPNStaticRoutes script. It queries the routes table on the gateway machine and then constructs a forms submit HTTP POST that sets all of the static routes that I need on the LRT214 in one go. | ||
+ | |||
+ | TODO: It probably makes sense to incorporate this process into the ibm-cisco-vpn script on the gateway. There's a cookie-based authentication piece for the LRT214 that I'm not 100% sure about. That would need to be worked out to see if the cookie value is stable over time. If this was possible then it would eliminate the need to manually check the routes list periodically and update the static routes in the LRT214 manually. | ||
==Adjust the MTU on the network systems that will use this connection== | ==Adjust the MTU on the network systems that will use this connection== | ||
− | The MTU of the VPN connection is 1355. With my other systems set to 1500, the connection does not function properly - pings work, but web pages don't fully render, Notes cannot replicate, etc. To fix this I used the "ip" command to change the MTU temporarily and the system network | + | The MTU of the VPN connection is 1355. With my other systems set to 1500, the connection does not function properly - pings work, but web pages don't fully render, Notes cannot replicate, etc. To fix this I used the "ip" command to change the MTU temporarily and the system network settings to make it permanent. This I do have to do individually on every machine that will access the intranet. |
− | To set MTU on the fly | + | To set MTU on the fly on a Linux system: ip link set dev eth0 mtu 1300 |
==Files== | ==Files== | ||
The software/ibm-cisco-vpn folder on fileserver contains all the files mentioned here. | The software/ibm-cisco-vpn folder on fileserver contains all the files mentioned here. |
Latest revision as of 12:44, 31 December 2019
When I moved my edge router onto commercial hardware, replacing a custom-configured Linux box, I lost the ability to connect my whole network to the intranet through a VPN tunnel. Here's how I restored that connectivity.
Contents
Install VPN software on a "gateway" system on my network
I use the openconnect package to establish the VPN. The configuration includes:
Create a systemctl script to start and stop the VPN connection
I created the /usr/local/bin/ibm-cisco-vpn script on the gateway machine to control openconnect and /usr/lib/systemd/system/ibm-cisco-vpn.service to define it to systemctl. The ibm-cisco-script also handles the iptables-based configuration setup for NAT routing through the VPN tunnel.
Modified the nameserver configuration on the gateway system
The gateway system is configured as the primary nameserver on my network. I added zone definitions to its configuration so that it can be used by my systems to resolve intranet system names. To do this I included the /etc/named.forwarded.zones file by calling it out of the main /etc/named.conf.
Create a modified vpnc-script to disable modification of /etc/resolv.conf
I modified two variables in /etc/vpnc/ibm-cisco-vpn-script - MODIFYRESOLVCONF and RESTORERESOLVCONF at line 97 of the script. MODIFYRESOLVSCRIPT is now calling a function that logs the IP addresses of the nameservers that were recommended by the VPN server so that these can be copied over into the nameserver configuration as forwarders.
Configure static routes on my default router that direct intranet traffic to the VPN gateway
I use a Belkin/Linksys LRT214 router as the default router for my network and as my gateway to the internet. I want it to be able to route traffic that's meant for the intranet over to the intranet gateway machine. That way I don't have to set up routes on every machine in the network, they can just keep on using the same default router they always have and it will know how to route their traffic.
This means that I need to set a bunch of static routes on the LRT214, the same bunch of routes that openclient sets up on the gateway machine when it establishes the VPN connection. The only facility for setting static routes on the LRT214 is to use a forms-based UI to enter them one at a time. Ouch! So I hacked together the setVPNStaticRoutes script. It queries the routes table on the gateway machine and then constructs a forms submit HTTP POST that sets all of the static routes that I need on the LRT214 in one go.
TODO: It probably makes sense to incorporate this process into the ibm-cisco-vpn script on the gateway. There's a cookie-based authentication piece for the LRT214 that I'm not 100% sure about. That would need to be worked out to see if the cookie value is stable over time. If this was possible then it would eliminate the need to manually check the routes list periodically and update the static routes in the LRT214 manually.
Adjust the MTU on the network systems that will use this connection
The MTU of the VPN connection is 1355. With my other systems set to 1500, the connection does not function properly - pings work, but web pages don't fully render, Notes cannot replicate, etc. To fix this I used the "ip" command to change the MTU temporarily and the system network settings to make it permanent. This I do have to do individually on every machine that will access the intranet.
To set MTU on the fly on a Linux system: ip link set dev eth0 mtu 1300
Files
The software/ibm-cisco-vpn folder on fileserver contains all the files mentioned here.