Tutorials:ESXI OpenVPN One router Multiple Public IPs Addresses

From Knowledge base
Revision as of 07:22, 12 March 2018 by Celogeek (talk | contribs) (Created page with "Category:Tutorials <seo title="ESXI OpenVPN / One router / Multiple Public IPs Addresses" metakeywords="tutorial,esxi,vpn,openvpn,shorewall,dnsmasq,route,routing,public ip...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

After a lot of pains and lookup for configurations, I come with a very complicated network setup with simple management.

I have one server on ESXI, and I host it at Online.net.

For one server, I have 1 router available that allow my virtual machine to get out.

I have multiple public IP addresses associated with different virtual machines.

Expected configuration

The configuration I want is :

  • One virtual machine, the "router"
  • One virtual network card on the "router" per public IP address
  • One virtual network card on the "router" for the internal network where all my servers are connected
  • OpenVPN with a tun configuration to access to my internal network
  • A large subnetwork (10.90.0.0/16), dispatch into multiple class C (10.90.10/24, 10.90.20/24) network, each one goes through different public IP addresses
  • A DHCP / DNS server (dnsmasq) to attribute the right IP automatically to each server

The objective is for each server that needs to be reached directly from the internet get a public IP address.

The other servers get private IP addresses. Their traffic goes through the primary public IP address (the one of the VPN).

When a server receives a packet from the internet on a specific IP address, it is mandatory that the response get back to the same IP. Otherwise, it fails with a martians packet errors.

Requirements

  • One main route for the primary access (the one with the VPN)
  • One table per public IP address
  • One rule for each public IP address
  • One rule for the subnetwork dedicated to this public IP address
  • One rule for the VPN address

Here the schema of my network :

Onlinenetwork.png

Configurations

We need a Virtual Machine with:

  • 1 network card with automatic hardware address (eth0)
  • 1 network card with the primary public IP address (eth1 with a fixed hardware address)
  • one network card with a secondary public IP address (eth2 with fixed hardware address)

Of course, you can add all your public IP addresses the same way.

Network

Here the config files:

/etc/network/interfaces:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface

#local subnetwork
auto eth0
iface eth0 inet static
        address 10.90.10.1
        netmask 255.255.0.0
        post-up ip rule add to 10.90.8.0/24 lookup main prio 1000

#ip static of access
auto eth1
iface eth1 inet static
        address 88.190.44.25
        netmask 255.255.255.255
        broadcast 88.190.44.25
        post-up route add 88.88.88.1 dev eth1
        post-up route add default gw 88.88.88.1
        dns-nameservers 88.191.254.60 88.191.254.70
        dns-search in.celogeek.fr

#ip static of devel
#subnetwork 10.90.20.0/24
auto eth2
iface eth2 inet static
        address 88.192.99.99
        netmask 255.255.255.255
        broadcast 88.192.99.99
        post-up route add 88.88.88.1 dev eth2
        post-up ip route add default via 88.88.88.1 dev eth2 table devel
        post-up ip rule add from 10.90.20.0/24 lookup devel prio 1001
        post-up ip rule add from 88.192.99.99 lookup devel prio 1002

The main card adds in the "main" route the default gateway.

I also add an "IP rule" to use the "main" route table when a request goes to the VPN. It avoids trying to reach the VPN by one of the public IP addresses.

The secondary public IP has several "route" rules :

  • If we use the eth2 ethernet, we reach the "Online" router through the eth2 card. It receives the correct hardware address and accepts the connection. We set this in a "devel" table, not the "main" one.
  • Any network packet that comes from the DEVEL subnetwork or comes from the public IP address to use the "devel" table in higher priority. It avoids using the default eth1 network card.

We also need a "devel" table. It is better to use a name instead of a number. It simpler to manage.

Here my routing table file :

/etc/iproute2/rt_tables:

#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
#1  inr.ruhep
1   devel

You can now reboot your server. The network card should be appropriately configured.

Next, we need to configure the firewall.

Firewall with Shorewall

I use "shorewall" for that purpose. Inside /etc/shorewall directory:

/etc/shorewall/interfaces:

#ZONE   INTERFACE   OPTIONS
loc     eth0            dhcp
net     eth1            routeback
devel   eth2        routeback
vpn tun0        dhcp

My local network and my VPN obtain IP by DHCP. The primary network "net" and the devel network "devel", has a "route back" rule, to send back any data that come from this card to the same way.

/etc/shorewall/masq:

#INTERFACE      SOURCE      ADDRESS     PROTO   PORT(S) IPSEC   MARK
eth0            10.90.8.0/24
eth1            10.90.10.0/24
eth2            10.90.20.0/24

The "vpn" has a masquerade with the local network. The subnetwork "10.90.10.0/24" use the "main" network as a masquerade, and the subnetwork "10.90.20.0/24" use the "devel" network as a masquerade.

/etc/shorewall/policy:

#SOURCE     DEST        POLICY      LOG LEVEL   LIMIT:BURST

loc     all     ACCEPT
vpn     loc     ACCEPT
vpn     $FW     ACCEPT
$FW     all     ACCEPT
net     all     DROP        info
# THE FOLLOWING POLICY MUST BE LAST
all     all     REJECT      info

It allows all the local network to reach any network. You can also forbid the communication between each subnetwork.

The "vpn" has only access to the firewall and the local network. I do not allow an internet connection for it.

The firewall can reach any network.

We drop any other communication.

/etc/shorewall/zones:

#ZONE   TYPE    OPTIONS         IN          OUT
#                   OPTIONS         OPTIONS
fw  firewall
net ipv4
loc ipv4
vpn ipv4
devel   ipv4

I declare all the network zone in the "zones" file.

You have to adapt the "rules" to your needs.

The important rule for the vpn :

/etc/shorewall/rules:

OpenVPN(ACCEPT) net $FW                 #VPN

You can connect to the "vpn" only by using an OpenVPN client. Add a rule for SSH to simplify the starting configuration.

To set this configuration at "boot":

/etc/shorewall/shorewall.conf:

STARTUP_ENABLED=Yes

And: /etc/default/shorewall:

startup=1

Then reboot, and your firewall should be properly configured.

DHCP server with dnsmasq

Let's add "dnsmasq" as a DNS and DHCP server.

I setup some static ip on the secondary network :

/etc/hosts:

10.90.10.1  access

#static devel route
10.90.20.10 postfix postfix.celogeek.fr postfix.celogeek.com
10.90.20.11 tasks tasks.celogeek.fr tasks.celogeek.com
10.90.20.12 gitorious gitorious.celogeek.fr gitorious.celogeek.com

I add the dhcp settings:

/etc/dnsmasq.conf:

expand-hosts
local=/in.celogeek.fr/
domain=in.celogeek.fr
dhcp-option=option:domain-search,in.celogeek.fr
dhcp-range=10.90.10.2,10.90.10.254,12h
conf-dir=/etc/dnsmasq.d

Any short name adds the "in.celogeek.fr" subdomain and resolves thanks to the local host file and the DHCP information. A machine sends his name to the DHCP server. You can resolve his name afterward.

For the statics IPs, we need to get their hardware addresses, and give them names in dnsmasq :

/etc/dnsmasq.d/devel-hosts:

dhcp-host=00:0c:29:28:35:e2,postfix
dhcp-host=00:0c:29:e6:55:ba,tasks
dhcp-host=00:0c:29:d5:43:15,gitorious

You can restart again.

The servers got:

  • a dynamic IP assigns to the primary Ethernet network
  • a static IP in another subnetwork that goes through the "devel" network card.

VPN with OpenVPN

Now let's configure the "OpenVPN" service. I strongly encourage the use of the "easy-rsa" to generate the key of the server and the key for the client.

Here the special part for the network in your "OpenVPN" config file :

server.conf:

port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key  # This file should be kept secret
dh easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt

server 10.90.8.0 255.255.255.0
push "route 10.90.0.0 255.255.0.0"
push "dhcp-option DNS 10.90.8.1"
push "dhcp-option DOMAIN in.celogeek.fr"

When you connect to the VPN, the subdomain "in.celogeek.fr" is resolved through the VPN. If I do a "ping access" or "ping postfix", it is replaced by "ping postfix.in.celogeek.fr", and then you obtain the private IP address.

If that configuration work, you can remove the "SSH" service from Shorewall, and only allow "OpenVPN" connection.

Conclusion

The benefits are:

  • I have one router with all the DNS configuration
  • the servers obtain their IP address automatically
  • any private servers can reach the private network
  • they have access to the internet

Configuring a new server is straightforward.

Well, I hope it could help. Tell me if you have a suggestion, I am very interested in improving that configuration.



Share your opinion