Configure VPN Gateway

From Nearline Storage
Jump to navigation Jump to search

When I moved my edge router onto commercial hardware, replacing a custom-configured Linux box, I lost the ability to connect my whole network to the intranet through a VPN. Here's how I restored that connectivity.

Install VPN software on a "gateway" system on my network

I use the openconnect package to establish the VPN. The configuration includes:

Create a systemctl script to start and stop the VPN connection

I created the /usr/local/bin/ibm-cisco-vpn script on the gateway machine to control openconnect and /usr/lib/systemd/system/ibm-cisco-vpn.service to define it to systemctl.

Modified the nameserver configuration on the gateway system

The gateway system is configured as the primary nameserver on my network. I added zone definitions to its configuration so that it can be used by my systems to resolve intranet system names. To do this I included the /etc/named.forwarded.zones file by calling it out of the main /etc/named.conf.

Create a modified vpnc-script to disable modification of /etc/resolv.conf

I modified two variables in /etc/vpnc/ibm-cisco-vpn-script - MODIFYRESOLVCONF and RESTORERESOLVCONF at line 97 of the script. MODIFYRESOLVSCRIPT is now calling a function that logs the IP addresses of the nameservers that were recommended by the VPN server so that these can be copied over into the nameserver configuration as forwarders.

Configure static routes on my default router that direct intranet traffic to the VPN gateway

I use a Belkin/Linksys LRT214 router as the default router for my network and as my gateway to the internet. I want it to be able to route traffic that's meant for the intranet on the to intranet gateway machine. That way I don't have to set routes on each machine in the network, they can keep on using the same default router they always have.

This means that I need to set a bunch of static routes on the LRT214 to do this, the same bunch of routes that openclient sets up on the gateway machine when it establishes the VPN connection.

The only facility for setting static routes on the LRT214 is to use a forms-based UI to enter them one at a time. Ouch! So I hacked together the setVPNStaticRoutes script. It queries the routes table on the gateway machine and then constructs a forms submit POST that sets all of the static routes that I need on the LRT214 in one go.

Adjust the MTU on the network systems that will use this connection

The MTU of the VPN connection is 1355. With my other systems set to 1500, the connection does not function properly - pings work, but web pages don't fully render, Notes cannot replicate, etc. To fix this I used the "ip" command to change the MTU temporarily and the system network setting to make it permanent.

To set MTU on the fly - ip link set dev eth0 mtu 1300

Files

The software/ibm-cisco-vpn folder on fileserver contains all the files mentioned here.