Work From Home or bring your corporate network at home

Work From Home (WFH)… Not a big problem for IT. Almost all that I need I can do without any discomfort. Big understanding of how to work became in the first carnitine time, in Lithuania it was in summer. Good weather, own house, lots of forests around… Who cares about COVID19, I just be with my family and spend my time as usual. After the first global lockdown all systems were prepared for remote work and added new hardware with some capacity for future use. But time went by and started a new project: design whole infrastructure for WiFi in the school (yes I work at school, the biggest and unical school in Lithuania). Lot of access points in 4 buildings with authorization from google education (google workspace) ldap service. More than 1500 users… And only one “must be” requirement - comfortable usage for everyone - clients and admins.

To meet all requirements I must be connected to the school network, but configure VPN on all devices - not a good idea, put some services outside - also not good… So, solution, bring the network at home. Ok, I have some enterprise level routers with I can use… But no one not support OpenVPN. Why OpenVPN? Because this service is already present and I don't see any point in changing something. Short research and candidates to solve this problem: pfSense, OpenWrt and DD-WRT. For pfSense I need some computer, or raspberry pi… I keep it as plan “B”. From my friend I got a TP-Link with less than 2mb flash - not enough space. After buying D-Link DIR-300 (4 euro) - not enough space too. And found D-Link DIR-620 A1 with 8mb flash for 10 euro. This device fits all my needs (btw, this post I write connected via DIR 620). Short remark, why not DD-WRT? Because first TP-Link I got already with OpenWRT then - pfSense (Plan C), DD-WRT (Plan B) and OpenWRT (Plan A).

Let's start

Latest version OpenWRT LuCI - 19. But very interesting, not all kernel modules present for installing OpenVPN service, I found a few issues with similar problems and one of easy solutions - just use version 18. Why not, I don't need the latest version, I need to solve my problem. All was installed and during configuration I found luci-app-openvpn very useless, not comfortable configuration… a few looks and I just remove this package. BTW, lot of OpenWRT functions not work as expected, as example no delay during adding routes, not work additional name servers for DNS Forwarders, WAN interface some times use configuration from WAN6 (IPv6), No easy way use VLANs with TUN/TAP… All can be solved!

Autostart openvpn with my configuration

cat /etc/init.d/openvpn
...
for path in /etc/openvpn/*.conf; do
...
I need to rename my .ovpn to .conf and put to /etc/openvpn. Then enable service for autostart and start service. Present way pass password from file, but most easy way - create password less user with authentication via certificate.
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.6  Mask:255.255.255.0
          inet6 addr: fe80::500c:371:ed18:e4a1/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:20234 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20433 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:6912171 (6.5 MiB)  TX bytes:2338488 (2.2 MiB)
OpenVPN is a very specific service, I mean configuration depends… What I change in client.conf file - disable routes with passed from server.
...
#route-nopull
...

Routs

root@DIR-620-A1-OWRT:~# netstat -ran
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 eth0.2
10.8.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0.2
Looks good, but not work… we need add route for my school subnet 10.0.0.0/21
root@DIR-620-A1-OWRT:~# /sbin/route add -net 10.0.0.0 netmask 255.255.248.0 gw 10.8.0.1

root@DIR-620-A1-OWRT:~# ping 10.0.0.1
64 bytes from 10.0.0.1: seq=0 ttl=63 time=13.101 ms
64 bytes from 10.0.0.1: seq=1 ttl=63 time=9.091 ms
64 bytes from 10.0.0.1: seq=2 ttl=63 time=9.414 ms
^C

root@DIR-620-A1-OWRT:~# ping 10.0.5.5
64 bytes from 10.0.5.5: seq=0 ttl=63 time=12.005 ms
64 bytes from 10.0.5.5: seq=1 ttl=63 time=9.190 ms
64 bytes from 10.0.5.5: seq=2 ttl=63 time=16.837 ms
^C
All work fine. We just need add route command to System > Startip > Local Startup (/etc/rc.local)
sleep 20; /sbin/route add -net 10.0.0.0 netmask 255.255.248.0 gw 10.8.0.1


IPTables

In Network > Firewall > General Settings > Zones we need set Input, Output and Forward to accept
In Network > Firewall > Traffic Rules create
Any traffic From any host in LAN To IP range 10.0.0.0/21 in VPN Accept forward
Short test
Alans-MBP:~ alan$ ping 10.0.0.1
64 bytes from 10.0.0.1: icmp_seq=0 ttl=62 time=9.132 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=62 time=11.621 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=62 time=9.629 ms

Alans-MBP:~ alan$ ping 10.0.5.5
64 bytes from 10.0.5.5: icmp_seq=0 ttl=62 time=13.580 ms
64 bytes from 10.0.5.5: icmp_seq=1 ttl=62 time=11.014 ms
64 bytes from 10.0.5.5: icmp_seq=2 ttl=62 time=11.175 ms
All work fine too

DNS

As I meant before - DNS have some problems, easy way with I found, just pass school DNS server to my computer from DHCP server.
Alans-MBP:~ alan$ cat /etc/resolv.conf | grep nameserver
nameserver 10.0.0.1
In Network > Interfaces > lan > DHCP Server > Advanced Settings
DHCP-Options: 6,10.0.0.1
Final test
Alans-MBP:~ alan$ ping auth.cmm.lan
64 bytes from 10.0.5.7: icmp_seq=0 ttl=62 time=13.082 ms
64 bytes from 10.0.5.7: icmp_seq=1 ttl=62 time=13.541 ms
64 bytes from 10.0.5.7: icmp_seq=2 ttl=62 time=14.320 ms

Comments

Popular posts from this blog