Skip to content

Instantly share code, notes, and snippets.

@gilangvperdana
Last active September 22, 2024 12:28
Show Gist options
  • Save gilangvperdana/1087dce6e122ea516b9cf2cbb1beaf0a to your computer and use it in GitHub Desktop.
Save gilangvperdana/1087dce6e122ea516b9cf2cbb1beaf0a to your computer and use it in GitHub Desktop.
Expose your Local VM with VPN

Expose your local VM with VPN

If you want to have an Public IP address, you can have two technique :

  • Reserved Public IP (High Cost)
  • Reserved public VPS (Lower Cost)

Markdown :

  • This Markdown will be sharing about Reserved public VPS Technique to have an Public IP on our Local VM.
  • This tutorial will make public ip on public vps that points to local VM.

Environment

  • Ubuntu 20.04 LTS Public VPS
  • Ubuntu 20.04 LTS Local VPS
  • OpenVPN
  • TCP Ingress & Egress on Standard Port (22, 80, 443)
  • UDP Ingress & Egress on Port 1194

Installation

VPN Server

Execute on Public VPS with Public IP

apt update -y && apt-get full-upgrade -y

wget https://git.io/vpn1604 -O openvpn-install.sh
chmod +x openvpn-install.sh
sudo ./openvpn-install.sh
/etc/init.d/openvpn status
/etc/init.d/openvpn start

Save the client.ovpn then move to your Local VM.

VPN Client

Execute on Local VM with NO-Public IP Make sure you have move the client.ovpn from VPN Server to Client VPN VM

sudo apt-get install openvpn
sudo openvpn --config /path/to/config.ovpn

or you want to still use default gateway on your cluster while connecting VPN with

sudo openvpn --config /path/to/config.ovpn --route-nopull

or you can define --route-nopull on your .ovpn file :

  • 192.168.0.0 255.255.255.0 is your network pool that you want to connect
    nano .ovpn
    
    route-nopull 
    route 192.168.0.0 255.255.255.0
    

or, for single ip you can define :

  • 192.168.0.1 255.255.255.255 is your ip that you want to connect
    nano .ovpn
    
    route-nopull 
    route 192.168.0.1 255.255.255.255
    

Push DNS to Hairpin VPN

if You want to use DNS with Hairpin Condition, you can add this line on your .ovpn file.

dhcp-option DNS xxx.xxx.xxx.xxx

Configuration

  • check ifconfig, make sure tun0 have an same ip address pool on both VM (Server & Client)
  • if it meets, please follow this forwarding tutorial :
  • Execute this on VPN Server VM

Markdown :

  • 10.74.130.80 is ens33 from VPS VPN Server
  • 10.8.0.2 is tun0 address from VM VPN CLIENT LOCAL
iptables -t nat -A PREROUTING -p tcp --dport 22 -d 10.74.130.80 -j DNAT --to-destination 10.8.0.2:22
iptables -t nat -A PREROUTING -p tcp --dport 80 -d 10.74.130.80 -j DNAT --to-destination 10.8.0.2:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -d 10.74.130.80 -j DNAT --to-destination 10.8.0.2:443

You can add or remove forwarding rules, adjust to your needs. You can read on Here!

Markdown

  • You can access your local VM on port 22, 80, 443 with Public IP VPS

Expose OpenStack Instance

You can expose your Instance on OpenStack Cluster, with :

  • Start openvpn server on your OpenVPN Server Node
  • Connect to openvpn server on your OpenStack Cluster Node
  • Make ip tables on OpenVPN Server Node with :
    • Assume 10.8.0.2 are OpenVPN Client IP
    • Assume 10.74.130.80 are OpenVPN Internal Node IP
    iptables -t nat -A PREROUTING -p tcp --dport 22 -d 10.74.130.80 -j DNAT --to-destination 10.8.0.2:22
    iptables -t nat -A PREROUTING -p tcp --dport 80 -d 10.74.130.80 -j DNAT --to-destination 10.8.0.2:80
    iptables -t nat -A PREROUTING -p tcp --dport 443 -d 10.74.130.80 -j DNAT --to-destination 10.8.0.2:443
    
  • Make ip table on OpenStack Cluster Node
    • Assume 10.8.0.2 are tun0 IP
    • Assume your Instance Floating IP are 172.24.4.124 you can use this for standard port (22, 80, 443) :
    iptables -t nat -A PREROUTING -p tcp --dport 22 -d 10.8.0.2 -j DNAT --to-destination 172.24.4.124:22
    iptables -t nat -A PREROUTING -p tcp --dport 80 -d 10.8.0.2 -j DNAT --to-destination 172.24.4.124:80
    iptables -t nat -A PREROUTING -p tcp --dport 443 -d 10.8.0.2 -j DNAT --to-destination 172.24.4.124:443
    
  • Access your OpenStack Instance with PublicIP OpenVPN Node
  • You can add or remove forwarding rules, adjust to your needs.
  • If your Instance on OpenStack can't access Internet lets do this :
    • Do on your OpenStack Cluster Node
    • Assume tun0 are name for your OpenVPN Adapter.
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

WARNING

  • Sometimes IP Tables is not working on different Public VPS. You can try This to try allternative Forwarding Rules Command.
  • If another command IP Tables rules not working too, you can use Nginx Reverse Proxy. This is example for Nginx Proxy Block, with this assume :
    • Do this on your VPN Server Node
    • 10.8.0.2 is Client VPN IP.
    • app.bignetlab.com is Example Domain Endpoint.
    nano /etc/nginx/sites-enabled/default
    
    server {
        listen 80;
        listen [::]:80;
        server_name app.bignetlab.com www.app.bignetlab.com;
        return 301 https://$host$request_uri;
    }
    
    server {
        listen 80;
        listen 443;
        listen [::]:443;
    
        if ($host != "app.bignetlab.com") {
            return 412;
        }
    
        server_name app.bignetlab.com www.app.bignetlab.com;
        ssl_certificate /etc/ssl/certs/app/app.bignetlab.com.crt;
        ssl_certificate_key /etc/ssl/certs/app/app.bignetlab.com.key;
    
    location / {
        proxy_pass http://10.8.0.2;
        proxy_set_header Host app.bignetlab.com;
        }
    location /posts {
        proxy_pass http://10.8.0.2;
        proxy_set_header Host app.bignetlab.com;
        }
    location /posts/?(.*)/comments {
        proxy_pass http://10.8.0.2;
        proxy_set_header Host app.bignetlab.com;
        }
    }
    

Make IP Ovpn client Static

  • Add ipp.txt on ovpn server
nano /etc/openvpn/server.conf
ifconfig-pool-persist ipp.txt
  • Configure ipp.txt
nano /etc/openvpn/ipp.txt

---
username1,10.8.0.2
  • Configre on client
nano profile.ovpn

---
ifconfig 10.8.0.2 255.255.255.0
---

OpenVPN GUI

  • Download Package
##For i386
wget https://github.com/flant/ovpn-admin/releases/download/1.7.5/ovpn-admin-linux-386.tar.gz

##For amd64
wget https://github.com/flant/ovpn-admin/releases/download/1.7.5/ovpn-admin-linux-amd64.tar.gz

##For arm
wget https://github.com/flant/ovpn-admin/releases/download/1.7.5/ovpn-admin-linux-arm.tar.gz

##For arm64
wget https://github.com/flant/ovpn-admin/releases/download/1.7.5/ovpn-admin-linux-arm64.tar.gz
  • Extract
sudo tar -xvzf ovpn-admin-linux-*.tar.gz
mv ovpn-admin /usr/local/bin/
  • Enable management on openvpn server
sudo nano /etc/openvpn/server/server.conf
---
management 127.0.0.1 8989
---

sudo systemctl restart openvpn-server@server.service
  • CP ta.keyto /etc/openvpn/easyrsa/pki/
cp /etc/openvpn/ta.key /etc/openvpn/easyrsa/pki/
  • Run
/usr/local/bin/ovpn-admin --easyrsa.path="/etc/openvpn/easy-rsa" --easyrsa.index-path=/etc/openvpn/easy-rsa/pki/index.txt --listen.host=127.0.0.1 --listen.port=9898 --ovpn.server=HOST:PORT:PROTOCOL

Alternate

  • You can use Pritunl for alternate VPN

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment