openVPN setup?

Printable View

08-04-2006
tivoklr

n00b fw/iptables/openVPN setup?

Hi,

Newish to linux, long time osx user.

I want to make sure I'm on the right track here.

I have a Ubuntu box version 6.06.1 and I would like to have it replace a Linksys BEFVP41 that is acting as a firewall, nat/port forwarding device and VPN server.

Now the reason I'm ditching the Linksys isn't that it isn't working for me, but that my network has changed.

I now have 2 public IP addresses instead of one. I needed to have ports 80 and 443 available to two different internal computers and this seemed to be the way to go. This is a xDSL line with a Cisco 678 dsl modem. The eth0 address of the router is the gateway address for my block of IP's from Qwest.

IP 1 needs to point to my internal network of 10.0.0.0 with several ports being forwarded to various machines, 25, 80, 443, 5800-5900, and some other oddballs for specific sw. Not all ports point to the same ip, 80 and 443 point to the webserver, 25 points to the Barracuda spam firewall, etc.

IP 2 needs to point just ports 80 and 443 to one box on the same 10.0.0.0 network.

I also need to add some static routes for my 6 offsite networks that all come in via T1, blah blah. That shouldn't be too bad.

I then need to setup OpenVPN on the 1st IP so that 2 offsite workers can VPN in, one running XP and one running OSX.

And that's it. No DHCP, no DNS, no mail, web, etc...

Sound doable, reasonable with ubuntu?

Should I have 2 nics, one for the publically reachable IP's and one to connect to the internal network?

Any suggestions, hints, etc? I'm not looking for a walkthrough here, but some light reading on iptables and such would be good.

Thanks for looking!

tivoklr
08-07-2006
KenJackson

It all sounds very doable. I did most of that with a small FreeBSD machine until it's hard disk gave up the ghost.

The only tricky part I see is that you are doing NAT on two external IP addresses. In theory there should be no problem, except both IPs will be assigned to one eth device. I don't know if you can do that with the normal configuration files or not, but you can do it in a separate script (maybe /etc/rc.local) using the 'ip' command from the iproute2 package. The command might be something like this (choosing "eth0:ip2" as a descriptive label):

# ip address add xx.xx.xx.xx dev eth0 label eth0:ip2
08-07-2006
gtmtnbiker98

I recommend IPCop for this task. It can handle IP aliases very easily and will also handle the VPN traffic. FireStarter and Smoothwall are good for single IP networks but cannot compare to IPCop when it comes to multi-IP networks.
08-08-2006
tivoklr

IPCOP it is

OK, that was kind of what I was wondering. I'm burning the iso as we speak.

Will keep ubuntu on my old ibook for a while, so I'm not abandoning the distro completely.

Ubuntu sure is faster than osx 10.3.9 on that machine.

ooh, ding. The disc is done.
08-09-2006
tivoklr

IPCop working 99%

OK, got IPCop installed, got all my firewall rules and port forwards setup and tested, but now i'm having some weird routing table issues.

I am going to create a new thread for this problem.

Jeff