Friday, 7 November 2008

VServer VPN with vtun

Suppose you are using linux-vserver to create a network of vservers, some with public IP addresses and some with only a private IP. You might well want them to be able to communicate with each other via a VPN in a relatively transparent fashion...

Not so fast... there are various issues thrown up becaues we can't use 127.0.0.1 - however it can be sorted out:

1. Install vtun on one vserver to use as the server, and on one vserver to use as the client. Make sure that both servers have the capabilities CAP_SYS_ADMIN, CAP_MKNOD, CAP_NET_ADMIN,CAP_NET_RAW . Make a new interface in /etc//interfaces with the VPN IP and the name "tun0" in dev

Restart the VServer

2.On both the client and the server edit /etc/ssh/sshd_config and add:

GatewayPorts yes

This is important because we need to be able to specify the IP address to use for a 'local IP' address intead of 192.168.1.1 Restart sshd.

3. on the server start vtund:

vtund -s -f /etc/vtund-server.conf

If you don't have configs yet see: http://www.linuxjournal.com/article/6675

4.on the client use ssh to create a tunnel:

ssh -L CLIENTIP:5000:SERVERIP:5000

Where 5000 is the port number being used on the server as per the config file

5. on the client run vtund

vtund -f /etc/vtund-client.conf my_tunnel CLIENT_HOSTNAME

And presto - if it all worked one should have an interface tun0 on both machines that can be used to transparently pass data between them.

No comments: