Work From Home or bring your corporate network at home
Work From Home (WFH)… Not a big problem for IT. Almost all that I need I can do without any discomfort. Big understanding of how to work became in the first carnitine time, in Lithuania it was in summer. Good weather, own house, lots of forests around… Who cares about COVID19, I just be with my family and spend my time as usual.
After the first global lockdown all systems were prepared for remote work and added new hardware with some capacity for future use. But time went by and started a new project: design whole infrastructure for WiFi in the school (yes I work at school, the biggest and unical school in Lithuania). Lot of access points in 4 buildings with authorization from google education (google workspace) ldap service. More than 1500 users… And only one “must be” requirement - comfortable usage for everyone - clients and admins.
To meet all requirements I must be connected to the school network, but configure VPN on all devices - not a good idea, put some services outside - also not good… So, solution, bring the network at home. Ok, I have some enterprise level routers with I can use… But no one not support OpenVPN. Why OpenVPN? Because this service is already present and I don't see any point in changing something. Short research and candidates to solve this problem: pfSense, OpenWrt and DD-WRT. For pfSense I need some computer, or raspberry pi… I keep it as plan “B”. From my friend I got a TP-Link with less than 2mb flash - not enough space. After buying D-Link DIR-300 (4 euro) - not enough space too. And found D-Link DIR-620 A1 with 8mb flash for 10 euro. This device fits all my needs (btw, this post I write connected via DIR 620). Short remark, why not DD-WRT? Because first TP-Link I got already with OpenWRT then - pfSense (Plan C), DD-WRT (Plan B) and OpenWRT (Plan A).
In Network > Firewall > Traffic Rules create
To meet all requirements I must be connected to the school network, but configure VPN on all devices - not a good idea, put some services outside - also not good… So, solution, bring the network at home. Ok, I have some enterprise level routers with I can use… But no one not support OpenVPN. Why OpenVPN? Because this service is already present and I don't see any point in changing something. Short research and candidates to solve this problem: pfSense, OpenWrt and DD-WRT. For pfSense I need some computer, or raspberry pi… I keep it as plan “B”. From my friend I got a TP-Link with less than 2mb flash - not enough space. After buying D-Link DIR-300 (4 euro) - not enough space too. And found D-Link DIR-620 A1 with 8mb flash for 10 euro. This device fits all my needs (btw, this post I write connected via DIR 620). Short remark, why not DD-WRT? Because first TP-Link I got already with OpenWRT then - pfSense (Plan C), DD-WRT (Plan B) and OpenWRT (Plan A).
Let's start
Latest version OpenWRT LuCI - 19. But very interesting, not all kernel modules present for installing OpenVPN service, I found a few issues with similar problems and one of easy solutions - just use version 18. Why not, I don't need the latest version, I need to solve my problem. All was installed and during configuration I found luci-app-openvpn very useless, not comfortable configuration… a few looks and I just remove this package. BTW, lot of OpenWRT functions not work as expected, as example no delay during adding routes, not work additional name servers for DNS Forwarders, WAN interface some times use configuration from WAN6 (IPv6), No easy way use VLANs with TUN/TAP… All can be solved!Autostart openvpn with my configuration
cat /etc/init.d/openvpn ... for path in /etc/openvpn/*.conf; do ...I need to rename my .ovpn to .conf and put to /etc/openvpn. Then enable service for autostart and start service. Present way pass password from file, but most easy way - create password less user with authentication via certificate.
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.6 P-t-P:10.8.0.6 Mask:255.255.255.0 inet6 addr: fe80::500c:371:ed18:e4a1/64 Scope:Link UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:20234 errors:0 dropped:0 overruns:0 frame:0 TX packets:20433 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:6912171 (6.5 MiB) TX bytes:2338488 (2.2 MiB)OpenVPN is a very specific service, I mean configuration depends… What I change in client.conf file - disable routes with passed from server.
... #route-nopull ...
Routs
root@DIR-620-A1-OWRT:~# netstat -ran Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0.2 10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2Looks good, but not work… we need add route for my school subnet 10.0.0.0/21
root@DIR-620-A1-OWRT:~# /sbin/route add -net 10.0.0.0 netmask 255.255.248.0 gw 10.8.0.1 root@DIR-620-A1-OWRT:~# ping 10.0.0.1 64 bytes from 10.0.0.1: seq=0 ttl=63 time=13.101 ms 64 bytes from 10.0.0.1: seq=1 ttl=63 time=9.091 ms 64 bytes from 10.0.0.1: seq=2 ttl=63 time=9.414 ms ^C root@DIR-620-A1-OWRT:~# ping 10.0.5.5 64 bytes from 10.0.5.5: seq=0 ttl=63 time=12.005 ms 64 bytes from 10.0.5.5: seq=1 ttl=63 time=9.190 ms 64 bytes from 10.0.5.5: seq=2 ttl=63 time=16.837 ms ^CAll work fine. We just need add route command to System > Startip > Local Startup (/etc/rc.local)
sleep 20; /sbin/route add -net 10.0.0.0 netmask 255.255.248.0 gw 10.8.0.1
IPTables
In Network > Firewall > General Settings > Zones we need set Input, Output and Forward to acceptIn Network > Firewall > Traffic Rules create
Any traffic From any host in LAN To IP range 10.0.0.0/21 in VPN Accept forwardShort test
Alans-MBP:~ alan$ ping 10.0.0.1 64 bytes from 10.0.0.1: icmp_seq=0 ttl=62 time=9.132 ms 64 bytes from 10.0.0.1: icmp_seq=1 ttl=62 time=11.621 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=62 time=9.629 ms Alans-MBP:~ alan$ ping 10.0.5.5 64 bytes from 10.0.5.5: icmp_seq=0 ttl=62 time=13.580 ms 64 bytes from 10.0.5.5: icmp_seq=1 ttl=62 time=11.014 ms 64 bytes from 10.0.5.5: icmp_seq=2 ttl=62 time=11.175 msAll work fine too
DNS
As I meant before - DNS have some problems, easy way with I found, just pass school DNS server to my computer from DHCP server.Alans-MBP:~ alan$ cat /etc/resolv.conf | grep nameserver nameserver 10.0.0.1In Network > Interfaces > lan > DHCP Server > Advanced Settings
DHCP-Options: 6,10.0.0.1Final test
Alans-MBP:~ alan$ ping auth.cmm.lan 64 bytes from 10.0.5.7: icmp_seq=0 ttl=62 time=13.082 ms 64 bytes from 10.0.5.7: icmp_seq=1 ttl=62 time=13.541 ms 64 bytes from 10.0.5.7: icmp_seq=2 ttl=62 time=14.320 ms
Comments
Post a Comment