Last active
May 2, 2021 15:54
-
-
Save generalinterest/f62449a614d5cb23add49d9e3f7485ab to your computer and use it in GitHub Desktop.
Linux Networking Policy - multiple VPN routing.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| trying to gather all the steps here...in progress. | |
| Each VPN will have it's own VLAN. | |
| Each VPN client will be the internet gateway for it's VLAN. | |
| A task is then to place clients on the VLAN. | |
| One way is to have a new WIFI SID that is placed on the specific VLAN. | |
| Clients connect to the WIFI SID and then have the VPN as their gateway. | |
| Wired clients would need to have a switch port on the vlan, or if you have control of the client, you could be creative with adding a vlan interface and setting the default route over the vlan interface. | |
| All the Linux Policy happens in the VPN up script. | |
| using 192.168.9.0/29 network as limited clients. | |
| VLAN's and subnets are pre defined ... | |
| # with /29 cidr, +8 for each block. | |
| # +1 for router ip | |
| # +2 for the new gateway to the vm hosting the vpn connection | |
| # leases go from +3 to +6 - giving 4 ip's | |
| # vlan 31 subnet 192.168.9.0/29 router_ip 192.168.9.1 leases 192.168.9.2-192.168.9.6 DNS 8.8.8.8 | |
| # vlan 32 subnet 192.168.9.8/29 router_ip 192.168.9.9 leases 192.168.9.10-192.168.9.14 DNS 8.8.8.8 | |
| # NewYork vlan 33 subnet 192.168.9.16/29 router_ip 192.168.9.17 leases 192.168.9.19-192.168.9.22 DNS 8.8.8.8 | |
| # vlan 34 subnet 192.168.9.24/29 router_ip 192.168.9.25 leases 192.168.9.26-192.168.9.30 DNS 8.8.8.8 | |
| ================================================================================ | |
| My setup is with two Mikrotik routers | |
| ================================================================================ | |
| #update gateway router where ether2 is the lan switch bridge link to the second router's lan switch bridge | |
| /interface vlan add name=eth2-NewYork interface=ether2 vlan-id=33 | |
| /interface bridge add name=bridge-NewYork | |
| /interface bridge port add bridge=bridge-NewYork interface=eth2-NewYork | |
| /ip address add address=192.168.9.17/29 interface=eth2-NewYork | |
| /ip dhcp-server network add address=192.168.9.16/29 dns-server=8.8.8.8 gateway=192.168.9.17 | |
| /ip pool add name=pool-NewYork ranges=192.168.9.19-192.168.9.22 | |
| /ip dhcp-server option add name=NewYork-Gateway code=3 value="'192.168.9.18'" | |
| /ip dhcp-server option sets add name=NewYork options=NewYork-Gateway | |
| /ip dhcp-server add name=dhcp-NewYork address-pool=pool-NewYork disabled=no interface=bridge-NewYork dhcp-option-set=NewYork | |
| /interface wireless add name="NewYorkE" mtu=1500 l2mtu=1600 arp=enabled master-interface=wlan1 mode=ap-bridge ssid="NewYorkE" vlan-mode=no-tag vlan-id=33 wds-mode=disabled wds-default-bridge=bridge wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disabled=no | |
| /interface bridge port add bridge=bridge-NewYork interface=NewYorkE | |
| #update all other routers/switches on their ports to other routers/switches | |
| /interface vlan add name=eth1-NewYork interface=ether1 vlan-id=33 | |
| /ip address add address=192.168.9.9/24 interface=eth1-NewYork ??????? wrong! | |
| /interface bridge add name=bridge-NewYork | |
| /interface bridge port add bridge=bridge-NewYork interface=eth1-NewYork | |
| /interface wireless add name="NewYorkE" mtu=1500 l2mtu=1600 arp=enabled master-interface=wlan1 mode=ap-bridge ssid="NewYorkE" vlan-mode=no-tag vlan-id=31 wds-mode=disabled wds-default-bridge=bridge-NewYork wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=yes security-profile=default | |
| /interface bridge port add bridge=bridge-NewYork interface=NewYorkE | |
| /interface wireless add name="NewYorkF" mtu=1500 l2mtu=1600 arp=enabled master-interface=wlan2 mode=ap-bridge ssid="NewYorkF" vlan-mode=no-tag vlan-id=31 wds-mode=disabled wds-default-bridge=bridge-NewYork wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=yes security-profile=default | |
| /interface bridge port add bridge=bridge-NewYork interface=NewYorkF | |
| not included here are the vlan configurations of any intermediate network switches required to bring the VLAN 33 as a tagged switch port to the host. | |
| ================================================================================ | |
| Linux Policy on host running the openvpn clients | |
| ================================================================================ | |
| example: | |
| New York - VLAN ID 33 | |
| --enp0s25--| VLAN | |
| |-- .33 -- IP Rule for VLAN 33 subnet lookup table NewYork -- route table NewYork default dev tunNewYork -- tunNewYork | |
| |-- .34 | |
| #create new routing table for our VLAN | |
| echo 33 NewYork > /etc/iproute2/rt_tables.d/NewYork.conf | |
| # add the VLAN Interface to our Ubuntu 20.04 host interface enp0s25 | |
| # and give it a static IP address on the VLAN's subnet. | |
| modinfo 8021q | |
| ip link add link enp0s25 name enp0s25.33 type vlan id 33 | |
| ip link set dev enp0s25.33 up | |
| ip address add 192.168.9.18 dev enp0s25.33 | |
| install openvpn client | |
| get your VPN config files from your vendor. | |
| # openvpn client uses a tuntap device, create our own so we know what it is called... | |
| ip tuntap add tunNewYork mode tun one_queue | |
| # save your openvpn credentials if a file for unattended operation. | |
| cat /etc/openvpn/client/auth.txt | |
| XXXXXXXX | |
| XXXXXXXX | |
| # vpn up script to clean up routes and setup NAT for the interface. | |
| cat /etc/openvpn/client/NewYork.sh | |
| #!/bin/bash | |
| VLANIP="192.168.9.16/29" | |
| echo ip route add default via $4 dev $1 table NewYork | |
| ip route add default via $4 dev $1 table NewYork | |
| #housekeeping - delete any existing policy and NAT rules... | |
| echo ip rule del from $VLANIP table NewYork | |
| ip rule del from $VLANIP table NewYork | |
| echo iptables -t nat -D POSTROUTING -s $VLANIP -o $1 -j MASQUERADE | |
| iptables -t nat -D POSTROUTING -s $VLANIP -o $1 -j MASQUERADE | |
| #add the new policy and NAT... | |
| echo ip rule add from $VLANIP table NewYork | |
| ip rule add from $VLANIP table NewYork | |
| echo iptables -t nat -A POSTROUTING -s $VLANIP -o $1 -j MASQUERADE | |
| iptables -t nat -A POSTROUTING -s $VLANIP -o $1 -j MASQUERADE | |
| update the ovpn config file and set/add | |
| we are setting script-security 2 to run the up script - this can be seen as a security risk. | |
| dev tunNewYork | |
| ncp-ciphers AES-256-GCM:AES-256-CBC:BF-CBC | |
| pull-filter ignore redirect-gateway | |
| script-security 2 | |
| up /etc/openvpn/client/NewYork.sh | |
| auth-user-pass "/etc/openvpn/client/auth.txt" | |
| install the vpn client as a systemctl service. | |
| mv NewYork.ovpn /etc/openvpn/client/NewYork.conf | |
| systemctl enable openvpn-client@NewYork | |
| systemctl start openvpn-client@NewYork | |
| You VPN should now survive a reboot and come back up. | |
| DEBUG | |
| systemctl status openvpn@Windscribe-NewYork-Empire.conf.service | |
| ip a show dev enp0s25.33 | |
| ip a show dev tunNewYork | |
| ip rule list | |
| ip route list table NewYork | |
| ip link show dev enp0s25.33 | |
| ip link show dev tunNewYork | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment