Tutorials:ESXI OpenVPN One router Multiple Public IPs Addresses
After a lot of pains and lookup for configurations, I come with a very complicated network setup with simple management.
I have one server on ESXI, and I host it at Online.net.
For one server, I have 1 router available that allow my virtual machine to get out.
I have multiple public IP addresses associated with different virtual machines.
The configuration I want is :
- One virtual machine, the "router"
- One virtual network card on the "router" per public IP address
- One virtual network card on the "router" for the internal network where all my servers are connected
- OpenVPN with a tun configuration to access to my internal network
- A large subnetwork (10.90.0.0/16), dispatch into multiple class C (10.90.10/24, 10.90.20/24) network, each one goes through different public IP addresses
- A DHCP / DNS server (dnsmasq) to attribute the right IP automatically to each server
The objective is for each server that needs to be reached directly from the internet get a public IP address.
The other servers get private IP addresses. Their traffic goes through the primary public IP address (the one of the VPN).
When a server receives a packet from the internet on a specific IP address, it is mandatory that the response get back to the same IP. Otherwise, it fails with a martians packet errors.
- One main route for the primary access (the one with the VPN)
- One table per public IP address
- One rule for each public IP address
- One rule for the subnetwork dedicated to this public IP address
- One rule for the VPN address
Here the schema of my network :
We need a Virtual Machine with:
- 1 network card with automatic hardware address (eth0)
- 1 network card with the primary public IP address (eth1 with a fixed hardware address)
- one network card with a secondary public IP address (eth2 with fixed hardware address)
Of course, you can add all your public IP addresses the same way.
Here the config files:
# The loopback network interface auto lo iface lo inet loopback # The primary network interface #local subnetwork auto eth0 iface eth0 inet static address 10.90.10.1 netmask 255.255.0.0 post-up ip rule add to 10.90.8.0/24 lookup main prio 1000 #ip static of access auto eth1 iface eth1 inet static address 220.127.116.11 netmask 255.255.255.255 broadcast 18.104.22.168 post-up route add 22.214.171.124 dev eth1 post-up route add default gw 126.96.36.199 dns-nameservers 188.8.131.52 184.108.40.206 dns-search in.celogeek.fr #ip static of devel #subnetwork 10.90.20.0/24 auto eth2 iface eth2 inet static address 220.127.116.11 netmask 255.255.255.255 broadcast 18.104.22.168 post-up route add 22.214.171.124 dev eth2 post-up ip route add default via 126.96.36.199 dev eth2 table devel post-up ip rule add from 10.90.20.0/24 lookup devel prio 1001 post-up ip rule add from 188.8.131.52 lookup devel prio 1002
The main card adds in the "main" route the default gateway.
I also add an "IP rule" to use the "main" route table when a request goes to the VPN. It avoids trying to reach the VPN by one of the public IP addresses.
The secondary public IP has several "route" rules :
- If we use the eth2 ethernet, we reach the "Online" router through the eth2 card. It receives the correct hardware address and accepts the connection. We set this in a "devel" table, not the "main" one.
- Any network packet that comes from the DEVEL subnetwork or comes from the public IP address to use the "devel" table in higher priority. It avoids using the default eth1 network card.
We also need a "devel" table. It is better to use a name instead of a number. It simpler to manage.
Here my routing table file :
# # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep 1 devel
You can now reboot your server. The network card should be appropriately configured.
Next, we need to configure the firewall.
Firewall with Shorewall
I use "shorewall" for that purpose. Inside /etc/shorewall directory:
#ZONE INTERFACE OPTIONS loc eth0 dhcp net eth1 routeback devel eth2 routeback vpn tun0 dhcp
My local network and my VPN obtain IP by DHCP. The primary network "net" and the devel network "devel", has a "route back" rule, to send back any data that come from this card to the same way.
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 10.90.8.0/24 eth1 10.90.10.0/24 eth2 10.90.20.0/24
The "vpn" has a masquerade with the local network. The subnetwork "10.90.10.0/24" use the "main" network as a masquerade, and the subnetwork "10.90.20.0/24" use the "devel" network as a masquerade.
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc all ACCEPT vpn loc ACCEPT vpn $FW ACCEPT $FW all ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info
It allows all the local network to reach any network. You can also forbid the communication between each subnetwork.
The "vpn" has only access to the firewall and the local network. I do not allow an internet connection for it.
The firewall can reach any network.
We drop any other communication.
#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 vpn ipv4 devel ipv4
I declare all the network zone in the "zones" file.
You have to adapt the "rules" to your needs.
The important rule for the vpn :
OpenVPN(ACCEPT) net $FW #VPN
You can connect to the "vpn" only by using an OpenVPN client. Add a rule for SSH to simplify the starting configuration.
To set this configuration at "boot":
Then reboot, and your firewall should be properly configured.
DHCP server with dnsmasq
Let's add "dnsmasq" as a DNS and DHCP server.
I setup some static ip on the secondary network :
10.90.10.1 access #static devel route 10.90.20.10 postfix postfix.celogeek.fr postfix.celogeek.com 10.90.20.11 tasks tasks.celogeek.fr tasks.celogeek.com 10.90.20.12 gitorious gitorious.celogeek.fr gitorious.celogeek.com
I add the dhcp settings:
expand-hosts local=/in.celogeek.fr/ domain=in.celogeek.fr dhcp-option=option:domain-search,in.celogeek.fr dhcp-range=10.90.10.2,10.90.10.254,12h conf-dir=/etc/dnsmasq.d
Any short name adds the "in.celogeek.fr" subdomain and resolves thanks to the local host file and the DHCP information. A machine sends his name to the DHCP server. You can resolve his name afterward.
For the statics IPs, we need to get their hardware addresses, and give them names in dnsmasq :
dhcp-host=00:0c:29:28:35:e2,postfix dhcp-host=00:0c:29:e6:55:ba,tasks dhcp-host=00:0c:29:d5:43:15,gitorious
You can restart again.
The servers got:
- a dynamic IP assigns to the primary Ethernet network
- a static IP in another subnetwork that goes through the "devel" network card.
VPN with OpenVPN
Now let's configure the "OpenVPN" service. I strongly encourage the use of the "easy-rsa" to generate the key of the server and the key for the client.
Here the special part for the network in your "OpenVPN" config file :
port 1194 proto udp dev tun ca easy-rsa/keys/ca.crt cert easy-rsa/keys/server.crt key easy-rsa/keys/server.key # This file should be kept secret dh easy-rsa/keys/dh1024.pem ifconfig-pool-persist ipp.txt server 10.90.8.0 255.255.255.0 push "route 10.90.0.0 255.255.0.0" push "dhcp-option DNS 10.90.8.1" push "dhcp-option DOMAIN in.celogeek.fr"
When you connect to the VPN, the subdomain "in.celogeek.fr" is resolved through the VPN. If I do a "ping access" or "ping postfix", it is replaced by "ping postfix.in.celogeek.fr", and then you obtain the private IP address.
If that configuration work, you can remove the "SSH" service from Shorewall, and only allow "OpenVPN" connection.
The benefits are:
- I have one router with all the DNS configuration
- the servers obtain their IP address automatically
- any private servers can reach the private network
- they have access to the internet
Configuring a new server is straightforward.
Well, I hope it could help. Tell me if you have a suggestion, I am very interested in improving that configuration.
Share your opinion