OpenVPN multileg

From herrold@owlriver.com Fri Feb 20 21:20:08 2004
Date: Fri, 20 Feb 2004 22:19:08 -0500 (EST)
From: R P Herrold <herrold@owlriver.com>
To: Phillip.Watts@nlynx.com
Cc: stew.schneider@adelphia.net, Linux User's Group <linux@ctlug.org>
Subject: ctl-linux]  Re: ctl-linux]  VPN Education needed

On Fri, 20 Feb 2004 Phillip.Watts@nlynx.com wrote:

> I looked over the OpenVPN web site and studied their examples.
> I don't see any evidence of an ablity to run other than from a 
> routable address which in your case means the public side of 
> your two routers.
> Someone CORRECT ME if I am wrong.

OK -- Long time OpenVPN user here (google 'openvpn' and 'herrold'). You asked to run 'from' an external public IP.

One has to know and be able to resolve toward (that is, 'to where') only one external IP is (Dynamic DNS will work). Here is a correction for Phillip, with a live, real example which I run. Using OpenVPN, I run this (I have sanitized external IP's, and rationalized non-public IP's for clarity, but it is a real six leg example):

subnet           center (VPNing) router        external router
10.16.1.0/24 --- 10.16.1.1/172.16.1.n --- 172.16.1.1/public

10.16.2.0/24 --- 10.16.2.1/172.16.2.n --- 172.16.2.1/public

10.16.3.0/24 --- 10.16.3.1/172.16.3.n --- 172.16.3.1/public

10.16.4.0/24 --- 10.16.4.1/172.16.4.n --- 172.16.4.1/public

10.16.5.0/24 --- 10.16.5.1/172.16.5.n --- 172.16.5.1/public

10.16.6.0/24 --- 10.16.6.1/172.16.6.n --- 172.16.6.1/public

For the sake of discussion, we can treat each 172.16.N.x segment as under administration of an admin who is unsympathetic. So so long as one has the ability to get at least ONE resolveable IP, and open a couple ports to pass in UDP, one is home free,

Each of the center routers have a upstream VPN link to a resolveable external host -- I use port 500N where N is the third octet, to help remembering which subnet is where.

[herrold@router herrold]$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.254.1.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 10.0.0.0 10.254.1.2 254.0.0.0 UG 2 0 0 tun0 0.0.0.0 172.16.1.1 0.0.0.0 UG 0 0 0 eth0 [herrold@router herrold]$ The tun device stats for that unit look like this:

tun0 Link encap:Point-to-Point Protocol inet addr:10.254.1.1 P-t-P:10.254.1.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1300 Metric:1 RX packets:3704118 errors:0 dropped:0 overruns:0 frame:0 TX packets:5292789 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:325618266 (310.5 Mb) TX bytes:295325588 (281.6 Mb)
The config file at the unit looks like:

[herrold@router openvpn]$ sudo grep -v ^# spur1.centername.conf dev tun remote centername.domain.com port 5001 ifconfig 10.254.1.1 10.254.1.2 ping 540 verb 4 daemon up /etc/openvpn/spur1.centername.postroute.sh cipher RC2-40-CBC secret spur1-key [herrold@router openvpn]$ At the center unit (which is the ONLY unit which needs a routable, non RFC-1918 address), the config looks like this:

-bash-2.05b$ sudo grep -v ^# centername.spur1.conf dev tun port 5001 ifconfig 10.254.1.2 10.254.1.1 ping 540 verb 4 daemon up /etc/openvpn/centername.spur1.postroute.sh cipher RC2-40-CBC secret spur1-key -bash-2.05b$
-bash-2.05b$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.254.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.254.4.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun2 10.254.2.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun4 10.254.3.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun1 10.254.5.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun3 10.254.6.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun5 10.16.3.0 10.254.3.1 255.255.255.0 UG 2 0 0 tun1 10.16.2.0 10.254.2.1 255.255.255.0 UG 2 0 0 tun4 xx.yy.zz.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.16.6.0 10.254.6.1 255.255.255.0 UG 2 0 0 tun5 10.16.5.0 10.254.5.1 255.255.255.0 UG 2 0 0 tun3 10.16.1.0 10.254.1.1 255.255.255.0 UG 2 0 0 tun0 10.16.4.0 10.254.4.1 255.255.255.0 UG 2 0 0 tun2 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 xx.yy.zz.1 0.0.0.0 UG 0 0 0 eth0 -bash-2.05b$ ---------------------
[herrold@router openvpn]$ traceroute -n 10.11.10.1 traceroute to 10.11.10.1 (10.11.10.1), 30 hops max, 38 byte packets 1 10.254.1.2 67.991 ms 66.999 ms 67.598 ms 2 10.16.2.1 163.455 ms 166.039 ms 158.125 ms [herrold@router openvpn]$ 10.16.1.1 is in Ohio; 10.16.2.1 is in Florida; the direct route (External IP to External IP) is an average of 76.340 mS away direct -- the two legs to the centerpoint are 67.876 and 90.0 respectively, so some additional latency is induced by the hubbed model compared to a IPSEC right/left side direct model (which DOES requires two externally findable IP's). Some of the added latency is due to the crypto stream transaction cost, enciphering and deciphering the content for privacy.

I would note that I use a IP telephone from several of the spurs to a IP KSU behind the center hub; it works with a toll quality connection. I admin hosts all over the country through these tunnels, and indeed, coached a user just today in using 'mysql' at a command line to load a database half a continent away with 500M of data on his Windows desktop, through just such a tunnel.

MCI quoted about $2700 a year per node back when we were setting this up; my approach has broadband at the nodes (about $700 pA at one site; piggybacked into existing service elsewhere), and reused an existing central DS-1 (zero incremental cost), for reliability reasons. Savings are about 16k$ pA.

I am using only Linux based center-VPNning routers and central hub, although James Yohan of OpenVPN project has been working at rolling in Windows gateway router support recently.

-- Russ Herrold

---------------------------------------------------------------------
To unsubscribe, e-mail: linux-unsubscribe@ctlug.org
For additional commands, e-mail: linux-help@ctlug.org
---------------------------------------------------------------------
Visit our website at <http://www.ctlug.org>.